Package eu.tneitzel.rmg.io
Class SingleOpOutputStream
- java.lang.Object
-
- java.io.OutputStream
-
- java.io.ByteArrayOutputStream
-
- eu.tneitzel.rmg.io.SingleOpOutputStream
-
- All Implemented Interfaces:
Closeable,Flushable,AutoCloseable
public class SingleOpOutputStream extends ByteArrayOutputStream
The SingleOpOutputStream class is used during SSRF operations. When the SSRF option is used, remote-method-guesser collects output data into an byte array instead of sending it to a remote server. The corresponding RMI calls always use the stream protocol, which is not ideal for SSRF attacks. The SingleOpOutputStream abuses the fact that Java RMI calls the flush method on the stream directly before and after the handshake that is performed within the stream protocol. This allows to cleanly cutoff the handshake and to switch the contents of the resulting byte array to the single operation protocol.- Author:
- Tobias Neitzel (@qtc_de)
-
-
Field Summary
-
Fields inherited from class java.io.ByteArrayOutputStream
buf, count
-
-
Constructor Summary
Constructors Constructor Description SingleOpOutputStream()Simple constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidwrite(byte[] b, int off, int len)Java RMI calls the flush method before and after the handshake.-
Methods inherited from class java.io.ByteArrayOutputStream
close, reset, size, toByteArray, toString, toString, toString, toString, write, writeBytes, writeTo
-
Methods inherited from class java.io.OutputStream
flush, nullOutputStream, write
-
-
-
-
Method Detail
-
write
public void write(byte[] b, int off, int len)Java RMI calls the flush method before and after the handshake. During the first call, only the RMI magic, the protocol version and the protocol type are contained in the stream. After the second call, the client host and client port are contained. Afterwards, the handshake has completed and the RMI communication starts.- Overrides:
writein classByteArrayOutputStream
-
-