From 3eb80960206c24250cee27e31444734dbdb69cc8 Mon Sep 17 00:00:00 2001 From: liquidsec Date: Thu, 21 Dec 2023 17:31:35 -0500 Subject: [PATCH] fixing jsf_viewstate custom secrets issue --- badsecrets/examples/cli.py | 2 +- badsecrets/modules/jsf_viewstate.py | 15 ++++++++++--- tests/examples_cli_test.py | 35 +++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 4 deletions(-) diff --git a/badsecrets/examples/cli.py b/badsecrets/examples/cli.py index 2bc1cc4..924269c 100755 --- a/badsecrets/examples/cli.py +++ b/badsecrets/examples/cli.py @@ -33,7 +33,7 @@ def print_version(): version = pkg_resources.get_distribution("badsecrets").version if version == "0.0.0": - version = "Version Unknown (Running w/poetry?)" + version = "ersion Unknown (Running w/poetry?)" print(f"v{version}\n") diff --git a/badsecrets/modules/jsf_viewstate.py b/badsecrets/modules/jsf_viewstate.py index ddcbb06..1d421b6 100644 --- a/badsecrets/modules/jsf_viewstate.py +++ b/badsecrets/modules/jsf_viewstate.py @@ -243,7 +243,10 @@ def check_secret(self, jsf_viewstate_value): # Mojarra decryption for l in self.load_resources(["jsf_viewstate_passwords_b64.txt"]): - password_bytes = base64.b64decode(l.rstrip()) + try: + password_bytes = base64.b64decode(l.rstrip()) + except binascii.Error: + continue decrypted = self.AES_decrypt(jsf_viewstate_value, password_bytes) if decrypted: @@ -279,7 +282,10 @@ def check_secret(self, jsf_viewstate_value): # Attempt to solve mac_key for l in self.load_resources(["jsf_viewstate_passwords_b64.txt"]): - password_bytes = base64.b64decode(l.rstrip()) + try: + password_bytes = base64.b64decode(l.rstrip()) + except binascii.Error: + continue myfaces_solved_mac_key, myfaces_solved_mac_algo = self.myfaces_mac(ct_bytes, password_bytes) if myfaces_solved_mac_key: break @@ -297,7 +303,10 @@ def check_secret(self, jsf_viewstate_value): hash_sizes = self.hash_sizes.values() for l in self.load_resources(["jsf_viewstate_passwords_b64.txt"]): - password_bytes = base64.b64decode(l.rstrip()) + try: + password_bytes = base64.b64decode(l.rstrip()) + except binascii.Error: + continue ( myfaces_solved_decryption_key, myfaces_solved_decryption_algo, diff --git a/tests/examples_cli_test.py b/tests/examples_cli_test.py index d1b4460..d935726 100644 --- a/tests/examples_cli_test.py +++ b/tests/examples_cli_test.py @@ -503,6 +503,41 @@ def test_example_cli_customsecrets_toolarge(monkeypatch, capsys): assert "exceeds the maximum limit of 100KB!" in captured.out +def test_example_cli_customsecrets_urlmode_expressbase64(monkeypatch, capsys): + base_vulnerable_page_jsf_custom = """ +

+""" + + with tempfile.NamedTemporaryFile("w+t", delete=False) as f: + f.write("base64:aGFja3RoZXBsYW5ldA==") + f.flush() + + with requests_mock.Mocker() as m: + m.get( + f"http://example.com/vulnerablejsf.html", + status_code=200, + text=base_vulnerable_page_jsf_custom, + ) + + monkeypatch.setattr( + "sys.argv", + [ + "python", + "--url", + "http://example.com/vulnerablejsf.html", + "-c", + f.name, + ], + ) + cli.main() + captured = capsys.readouterr() + print(captured) + assert ("Including custom secrets list") in captured.out + assert ( + "e496c62dfa4ce5541939c0eb17bdbda54c9a0ed1:007a34c262eee5c788b488be23b5e4122d4601be21d76599f3de2903e678387edb728da35c4cb5452096c23b4971935b58f72f3ea2f9cf37e5d370e878c65f1865fb6bd3d2bfe7d44fc30078a368b801a3d5d66e3bcb2b5edf316481a0fb03c25960b3717e888563ad816530897792a230834ca5" + ) in captured.out + + def test_example_cli_customsecrets_urlmode(monkeypatch, capsys): base_vulnerable_page_aspnet_custom = """