Skip to content

Commit

Permalink
execution参数反序列化漏洞解密
Browse files Browse the repository at this point in the history
  • Loading branch information
Wh0ale committed Aug 1, 2020
0 parents commit c906bb5
Show file tree
Hide file tree
Showing 18 changed files with 355 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .idea/.gitignore

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 12 additions & 0 deletions .idea/artifacts/ExecutionDecode_jar.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 16 additions & 0 deletions .idea/compiler.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions .idea/encodings.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions .idea/libraries/lib.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions .idea/misc.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions .idea/vcs.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions ExecutionDecode.iml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4" />
9 changes: 9 additions & 0 deletions README.MD
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
CAS execution参数解密

Usage:

ExecutionDecode -t <execution-value> 解密execution
ExecutionDecode -f <execution-value-file> 读取文件内容
ExecutionDecode -b <execution-value-byte> 将byte类型转为十六进制

![img](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F235d6bb8-a696-4d12-98d3-0a39335c4caf%2FUntitled.png?table=block&id=1736769f-c456-4c18-8485-0c0e1ab68893&width=3410&cache=v2)
108 changes: 108 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>org.example</groupId>
<artifactId>ExecutionDecode</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>jar</packaging>

<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>

<dependencies>
<dependency>
<groupId>bcprov</groupId>
<artifactId>bcprov</artifactId>
<version>1.50</version>
<scope>system</scope>
<systemPath>${project.basedir}/src/main/java/lib/bcprov-jdk15on-1.50.jar</systemPath>
</dependency>
<dependency>
<groupId>cryp</groupId>
<artifactId>cryp</artifactId>
<version>1.0</version>
<scope>system</scope>
<systemPath>${project.basedir}/src/main/java/lib/cryptacular-1.0.jar</systemPath>
</dependency>
<dependency>
<groupId>webflow</groupId>
<artifactId>webflow</artifactId>
<version>2.4.1</version>
<scope>system</scope>
<systemPath>${project.basedir}/src/main/java/lib/spring-webflow-2.4.1.RELEASE.jar</systemPath>
</dependency>
<dependency>
<groupId>webflow1</groupId>
<artifactId>webflow1</artifactId>
<version>1.0.0</version>
<scope>system</scope>
<systemPath>${project.basedir}/src/main/java/lib/spring-webflow-client-repo-1.0.0.jar</systemPath>
</dependency>
</dependencies>

<build>
<finalName>ExecutionDecode</finalName>
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>

<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>

<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<finalName>${project.artifactId}-${project.version}-all</finalName>
<!--jar-with-dependencies将附加到最终名称-->
<appendAssemblyId>false</appendAssemblyId>
<archive>
<manifest>
<!--运行jar包时运行的主类,要求类全名-->
<mainClass>ExecutionDecode</mainClass>
</manifest>
</archive>
<descriptor>${project.basedir}/src/main/resources/assembly.xml</descriptor>
</configuration>
<executions>
<execution><!--执行器 mvn assembly:assembly-->
<id>make-assembly</id>
<phase>package</phase>
<goals>
<goal>single</goal><!-- 只运行一次 -->
</goals>
</execution>
</executions>
</plugin>

</plugins>
</pluginManagement>
</build>
</project>
131 changes: 131 additions & 0 deletions src/main/java/ExecutionDecode.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.zip.GZIPInputStream;
import org.cryptacular.bean.CipherBean;

public class ExecutionDecode{
public static String byte2HexString(byte[] bytes) {
String hex = "";
if (bytes != null) {
for (Byte b : bytes) {
hex += String.format("%02X", b.intValue() & 0xFF);
}
}
return hex;
}

public static void saveFile(String filename,byte [] data)throws Exception{
if(data != null){
String filepath = filename;
File file = new File(filepath);
if(file.exists()){
file.delete();
}
FileOutputStream fos = new FileOutputStream(file);
fos.write(data,0,data.length);
fos.flush();
fos.close();
}
}

public static byte[] unGZip(byte[] data) {
byte[] b = null;
try {
ByteArrayInputStream bis = new ByteArrayInputStream(data);
GZIPInputStream gzip = new GZIPInputStream(bis);
byte[] buf = new byte[1024];
int num = -1;
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while ((num = gzip.read(buf, 0, buf.length)) != -1) {
baos.write(buf, 0, num);
}
b = baos.toByteArray();
baos.flush();
baos.close();
gzip.close();
bis.close();
} catch (Exception ex) {
ex.printStackTrace();
}
return b;
}

public static void main(String[] args) throws Exception {
if (args.length == 2) {
if (args[0].toLowerCase().equals("-t")){
try {
String execution = new String(args[1]);
// 将execution解码为byte数组
byte[] bytepayload = Base64.getDecoder().decode(execution);
// 获取字节码对象
Class class1 = Class.forName("org.jasig.spring.webflow.plugin.EncryptedTranscoder");
// 创建对象
Object test = class1.newInstance();
// 反射获取属性
Field field = class1.getDeclaredField("cipherBean");
// 设置反射时取消Java的访问检查
field.setAccessible(true);
// 返回指定对象 test 上此 Field 表示的字段的值
CipherBean cipherb = (CipherBean) field.get(test);
// 执行解密操作
byte[] result = cipherb.decrypt(bytepayload);
// 解压缩
byte[] unGZippaylaod = unGZip(result);
// 写文件
// saveFile("test.bin", unGZippaylaod);
// 需要转化为十六进制
String resulthex = byte2HexString(unGZippaylaod);
String payload = new String(unGZippaylaod);
// System.out.println(payload);
System.out.println(resulthex);
}catch (Exception e){
e.printStackTrace();
}
}
else if (args[0].toLowerCase().equals("-f")) {
File f = new File(args[1]);
if (f.exists()) {
try {
BufferedReader in = new BufferedReader(new FileReader(f));
String str;
while ((str = in.readLine()) != null) {
System.out.println(str);
}
System.out.println(str);
} catch (Exception e) {
e.printStackTrace();
}
}
else{
throw new RuntimeException(args[1] + " File Not Found...");
}
}
else if (args[0].toLowerCase().equals("-b")){
File f = new File(args[1]);
if (f.exists()) {
try {
byte[] fileContents = new byte[(int) f.length()];
FileInputStream fis = new FileInputStream(f);
fis.read(fileContents);
fis.close();
String resulthex = byte2HexString(fileContents);
System.out.println(resulthex);
} catch (Exception e) {
e.printStackTrace();
}
}
else{
throw new RuntimeException(args[1] + " File Not Found...");
}

}
}
else {
System.out.println("Usage:");
System.out.println("\tExecutionDecode -t <execution-value> 解密execution");
System.out.println("\tExecutionDecode -f <execution-value-file> 读取文件内容");
System.out.println("\tExecutionDecode -b <execution-value-byte> 将byte类型转为十六进制");
}
}
}
Binary file added src/main/java/lib/bcprov-jdk15on-1.50.jar
Binary file not shown.
Binary file added src/main/java/lib/cryptacular-1.0.jar
Binary file not shown.
Binary file not shown.
Binary file not shown.
3 changes: 3 additions & 0 deletions src/main/resources/META-INF/MANIFEST.MF
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Manifest-Version: 1.0
Main-Class: ExecutionDecode

32 changes: 32 additions & 0 deletions src/main/resources/assembly.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<assembly
xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3 http://maven.apache.org/xsd/assembly-1.1.3.xsd
http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3 ">
<id>fat-tests</id>
<formats>
<!--打包的文件格式,也可以有:war zip-->
<format>jar</format>
</formats>
<!--指定打的包是否包含打包成目录-->
<includeBaseDirectory>false</includeBaseDirectory>
<!-- 指定将工程依赖的包打到包里的指定目录下 -->
<dependencySets>
<dependencySet>
<outputDirectory>/</outputDirectory>
<useProjectArtifact>true</useProjectArtifact><!--是否把本项目添加到依赖文件夹下-->
<unpack>true</unpack>
<scope>test</scope>
</dependencySet>
</dependencySets>
<fileSets><!-- 指定要包含的文件集,可以定义多个fileSet -->
<fileSet>
<directory>${project.build.directory}/test-classes</directory><!-- 指定归档文件(要打的jar包)要包含的目录(下的文件及文件夹) -->
<outputDirectory>/</outputDirectory>
<includes>
<include>**/*.class</include>
</includes>
<useDefaultExcludes>true</useDefaultExcludes>
</fileSet>
</fileSets>
</assembly>
Binary file added test.bin
Binary file not shown.

0 comments on commit c906bb5

Please sign in to comment.