Skip to content
This repository was archived by the owner on Dec 28, 2023. It is now read-only.

Commit 4d0d596

Browse files
committed
yaml rce
1 parent e6d3738 commit 4d0d596

File tree

4 files changed

+14
-6
lines changed

4 files changed

+14
-6
lines changed

Diff for: CHANGELOG.MD

+1-1
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ Others:
9797
当环境是`JDK9+`时,反射调用方法即可。修复了一处功能`bug`并优先加载当前目录的`config.yaml`文件,不会删除,实现了保存设置功能。
9898

9999
另外提供了两种`exe`的下载:
100-
- 内置`JRE``xray``exe`可以一键启动:`super-xray-0.7-jre-exe.zip`
100+
- 内置`JRE``exe`可以一键启动:`super-xray-0.7-jre-exe.zip`
101101
- 调用系统`JRE``exe``super-xray-0.7-system-jre.exe`
102102

103103
第一种不需要安装任何环境,解压后直接使用;第二种需要本地`JAVA_HOME`或环境变量有配置`Java`

Diff for: src/main/java/com/chaitin/xray/form/LookupConfigForm.java

+3-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,9 @@
33
import com.chaitin.xray.utils.StringUtil;
44
import com.intellij.uiDesigner.core.GridConstraints;
55
import com.intellij.uiDesigner.core.GridLayoutManager;
6+
import org.yaml.snakeyaml.LoaderOptions;
67
import org.yaml.snakeyaml.Yaml;
8+
import org.yaml.snakeyaml.constructor.SafeConstructor;
79

810
import javax.swing.*;
911
import java.awt.*;
@@ -57,7 +59,7 @@ public LookupConfigForm() {
5759
return;
5860
}
5961
try {
60-
Yaml yaml = new Yaml();
62+
Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
6163
String newConfig = configTextArea.getText();
6264
MainForm.configObj = yaml.load(newConfig);
6365

Diff for: src/main/java/com/chaitin/xray/form/MainForm.java

+4-2
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@
1212
import com.intellij.uiDesigner.core.Spacer;
1313
import org.apache.log4j.LogManager;
1414
import org.apache.log4j.Logger;
15+
import org.yaml.snakeyaml.LoaderOptions;
1516
import org.yaml.snakeyaml.Yaml;
17+
import org.yaml.snakeyaml.constructor.SafeConstructor;
1618

1719
import javax.swing.*;
1820
import javax.swing.border.TitledBorder;
@@ -224,7 +226,7 @@ public void reloadConfig(boolean init, boolean reset) {
224226
}
225227
configTemplate = configStr;
226228

227-
Yaml yaml = new Yaml();
229+
Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
228230
configObj = yaml.load(configStr);
229231

230232
try {
@@ -684,7 +686,7 @@ public void initPluginSave() {
684686
}
685687

686688
public void refreshConfig() {
687-
Yaml yaml = new Yaml();
689+
Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
688690
StringWriter writer = new StringWriter();
689691
yaml.dump(configObj, writer);
690692
configStr = writer.toString();

Diff for: src/main/java/com/chaitin/xray/test/Main.java

+6-2
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,11 @@
55

66
public class Main {
77
public static void main(String[] args)throws Exception {
8-
Process p = Runtime.getRuntime().exec("ls");
9-
System.out.println(JNAUtil.getProcessID(p));
8+
String context = "!!javax.script.ScriptEngineManager [\n" +
9+
" !!java.net.URLClassLoader [[\n" +
10+
" !!java.net.URL [\"file:./yaml.jar\"]\n" +
11+
" ]]\n" +
12+
"]";
13+
System.out.println(context);
1014
}
1115
}

0 commit comments

Comments
 (0)