From 85a51e4a9c33d75ef0fed2f364b75244fb689e82 Mon Sep 17 00:00:00 2001
From: fl0l0u <16851037+fl0l0u@users.noreply.github.com>
Date: Tue, 28 Jun 2022 15:16:37 +0200
Subject: [PATCH 1/3] Adding argument parsing with following features: -
serialVersionUID override (-s) - arbitrary data addition before payload (-p)
---
pom.xml | 5 +
src/main/java/ysoserial/GeneratePayload.java | 146 +++++++++++++------
src/main/java/ysoserial/Serializer.java | 85 +++++++++++
3 files changed, 195 insertions(+), 41 deletions(-)
diff --git a/pom.xml b/pom.xml
index 97a10db9..011d1897 100644
--- a/pom.xml
+++ b/pom.xml
@@ -177,6 +177,11 @@
remoting-jmx
2.0.1.Final
+
+ commons-cli
+ commons-cli
+ 1.5.0
+
diff --git a/src/main/java/ysoserial/GeneratePayload.java b/src/main/java/ysoserial/GeneratePayload.java
index 88776f34..6caa2a81 100644
--- a/src/main/java/ysoserial/GeneratePayload.java
+++ b/src/main/java/ysoserial/GeneratePayload.java
@@ -8,49 +8,113 @@
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.DefaultParser;
+import org.apache.commons.cli.ParseException;
+
@SuppressWarnings("rawtypes")
public class GeneratePayload {
- private static final int INTERNAL_ERROR_CODE = 70;
- private static final int USAGE_CODE = 64;
-
- public static void main(final String[] args) {
- if (args.length != 2) {
- printUsage();
- System.exit(USAGE_CODE);
- }
- final String payloadType = args[0];
- final String command = args[1];
-
- final Class extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
- if (payloadClass == null) {
- System.err.println("Invalid payload type '" + payloadType + "'");
- printUsage();
- System.exit(USAGE_CODE);
- return; // make null analysis happy
- }
-
- try {
- final ObjectPayload payload = payloadClass.newInstance();
- final Object object = payload.getObject(command);
- PrintStream out = System.out;
- Serializer.serialize(object, out);
- ObjectPayload.Utils.releasePayload(payload, object);
- } catch (Throwable e) {
- System.err.println("Error while generating or serializing payload");
- e.printStackTrace();
- System.exit(INTERNAL_ERROR_CODE);
- }
- System.exit(0);
- }
-
- private static void printUsage() {
- System.err.println("Y SO SERIAL?");
- System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'");
- System.err.println(" Available payload types:");
-
- final List> payloadClasses =
- new ArrayList>(ObjectPayload.Utils.getPayloadClasses());
- Collections.sort(payloadClasses, new Strings.ToStringComparator()); // alphabetize
+ private static final int INTERNAL_ERROR_CODE = 70;
+ private static final int USAGE_CODE = 64;
+
+ public static void main(final String[] argv) {
+ CommandLine commandLine = null;
+ Options options = new Options();
+
+ Option serial = Option.builder("s")
+ .longOpt("serial")
+ .numberOfArgs(1)
+ .argName("Class=long")
+ .desc("Override serialVersionUID for a given class")
+ .build();
+ Option prepend = Option.builder("p")
+ .longOpt("prepend")
+ .numberOfArgs(1)
+ .argName("Class=str")
+ .desc("Prepend payload with item(s)")
+ .build();
+ Option help = Option.builder("h")
+ .longOpt("help")
+ .desc("Print usage")
+ .build();
+
+ options.addOption(serial);
+ options.addOption(prepend);
+ options.addOption(help);
+
+ CommandLineParser parser = new DefaultParser();
+ try {
+ commandLine = parser.parse(options, argv);
+ } catch (ParseException exp) {
+ System.err.println("Unexpected exception:" + exp.getMessage());
+ System.exit(USAGE_CODE);
+ }
+ String [] args = commandLine.getArgs();
+ if (args.length != 2 || commandLine.hasOption("help")) {
+ printUsage();
+ System.exit(USAGE_CODE);
+ }
+
+ List serialObjects = new ArrayList();
+ if(commandLine.hasOption("serial")) {
+ String [] propvalues = commandLine.getOptionValues("serial");
+ for (String propvalue : propvalues) {
+ serialObjects.add(propvalue);
+ }
+ }
+ List prependedObjects = new ArrayList();
+ if(commandLine.hasOption("prepend")) {
+ String [] propvalues = commandLine.getOptionValues("prepend");
+ for (String propvalue : propvalues) {
+ prependedObjects.add(propvalue);
+ }
+ }
+
+ final String payloadType = args[0];
+ final String command = args[1];
+
+ final Class extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
+ if (payloadClass == null) {
+ System.err.println("Invalid payload type '" + payloadType + "'");
+ printUsage();
+ System.exit(USAGE_CODE);
+ return; // make null analysis happy
+ }
+
+ try {
+ final ObjectPayload payload = payloadClass.newInstance();
+ final Object object = payload.getObject(command);
+ PrintStream out = System.out;
+ Serializer.serialize(object, out, serialObjects, prependedObjects);
+ ObjectPayload.Utils.releasePayload(payload, object);
+ } catch (Throwable e) {
+ System.err.println("Error while generating or serializing payload");
+ e.printStackTrace();
+ System.exit(INTERNAL_ERROR_CODE);
+ }
+ System.exit(0);
+ }
+
+ private static void printUsage() {
+ System.err.println("Y SO SERIAL?");
+ System.err.println("Usage: java -jar ysoserial-[version]-all.jar [options] ''");
+ System.err.println(" Options:");
+ System.err.println(" -h,--help Print usage\n");
+ System.err.println(" -s,--serial Override serialVersionUID for a given class:\n"+
+ " ex. -s org.apache.commons.beanutils.BeanComparator=-3490850999041592962 ...\n");
+ System.err.println(" -p,--prepend