Skip to content
Permalink
Browse files Browse the repository at this point in the history
yaml rce
  • Loading branch information
4ra1n committed Nov 24, 2022
1 parent e6d3738 commit 4d0d596
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 6 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.MD
Expand Up @@ -97,7 +97,7 @@ Others:
当环境是`JDK9+`时,反射调用方法即可。修复了一处功能`bug`并优先加载当前目录的`config.yaml`文件,不会删除,实现了保存设置功能。

另外提供了两种`exe`的下载:
- 内置`JRE``xray``exe`可以一键启动:`super-xray-0.7-jre-exe.zip`
- 内置`JRE``exe`可以一键启动:`super-xray-0.7-jre-exe.zip`
- 调用系统`JRE``exe``super-xray-0.7-system-jre.exe`

第一种不需要安装任何环境,解压后直接使用;第二种需要本地`JAVA_HOME`或环境变量有配置`Java`
Expand Down
4 changes: 3 additions & 1 deletion src/main/java/com/chaitin/xray/form/LookupConfigForm.java
Expand Up @@ -3,7 +3,9 @@
import com.chaitin.xray.utils.StringUtil;
import com.intellij.uiDesigner.core.GridConstraints;
import com.intellij.uiDesigner.core.GridLayoutManager;
import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.SafeConstructor;

import javax.swing.*;
import java.awt.*;
Expand Down Expand Up @@ -57,7 +59,7 @@ public LookupConfigForm() {
return;
}
try {
Yaml yaml = new Yaml();
Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
String newConfig = configTextArea.getText();
MainForm.configObj = yaml.load(newConfig);

Expand Down
6 changes: 4 additions & 2 deletions src/main/java/com/chaitin/xray/form/MainForm.java
Expand Up @@ -12,7 +12,9 @@
import com.intellij.uiDesigner.core.Spacer;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.SafeConstructor;

import javax.swing.*;
import javax.swing.border.TitledBorder;
Expand Down Expand Up @@ -224,7 +226,7 @@ public void reloadConfig(boolean init, boolean reset) {
}
configTemplate = configStr;

Yaml yaml = new Yaml();
Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
configObj = yaml.load(configStr);

try {
Expand Down Expand Up @@ -684,7 +686,7 @@ public void initPluginSave() {
}

public void refreshConfig() {
Yaml yaml = new Yaml();
Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
StringWriter writer = new StringWriter();
yaml.dump(configObj, writer);
configStr = writer.toString();
Expand Down
8 changes: 6 additions & 2 deletions src/main/java/com/chaitin/xray/test/Main.java
Expand Up @@ -5,7 +5,11 @@

public class Main {
public static void main(String[] args)throws Exception {
Process p = Runtime.getRuntime().exec("ls");
System.out.println(JNAUtil.getProcessID(p));
String context = "!!javax.script.ScriptEngineManager [\n" +
" !!java.net.URLClassLoader [[\n" +
" !!java.net.URL [\"file:./yaml.jar\"]\n" +
" ]]\n" +
"]";
System.out.println(context);
}
}

0 comments on commit 4d0d596

Please sign in to comment.