Skip to content

Commit

Permalink
Copybara import of the project:
Browse files Browse the repository at this point in the history
--
ce33b31 by LeonardoE95 <[email protected]>:

Add JSP payload for Reflective RCE

--
4b6b849 by LeonardoE95 <[email protected]>:

Fix: Add newline
COPYBARA_INTEGRATE_REVIEW=#127 from mindedsecurity:master 4b6b849
PiperOrigin-RevId: 705246572
Change-Id: I1661382d3a82855365bc8d253598dd2757a078e0
  • Loading branch information
LeonardoE95 authored and copybara-github committed Dec 11, 2024
1 parent 2bc8a20 commit 6f0a8dc
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -92,3 +92,12 @@ payloads:
validation_regex: (?s).*TSUNAMI_PAYLOAD_START$TSUNAMI_PAYLOAD_TOKEN_RANDOMTSUNAMI_PAYLOAD_END.*
vulnerabilityType:
- REFLECTIVE_RCE
- name: jsp_print
interpretation_environment: JSP
execution_environment: EXEC_INTERPRETATION_ENVIRONMENT
uses_callback_server: false
payload_string: <% out.print(String.format("%s%s%s","TSUNAMI_PAYLOAD_START", "$TSUNAMI_PAYLOAD_TOKEN_RANDOM", "TSUNAMI_PAYLOAD_END")); %>
validation_type: VALIDATION_REGEX
validation_regex: (?s).*TSUNAMI_PAYLOAD_START$TSUNAMI_PAYLOAD_TOKEN_RANDOMTSUNAMI_PAYLOAD_END.*
vulnerability_type:
- REFLECTIVE_RCE
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,13 @@ public void nextBytes(byte[] bytes) {
.setExecutionEnvironment(
PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
.build();
private static final PayloadGeneratorConfig JSP_REFLECTIVE_RCE_CONFIG =
PayloadGeneratorConfig.newBuilder()
.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
.setInterpretationEnvironment(PayloadGeneratorConfig.InterpretationEnvironment.JSP)
.setExecutionEnvironment(
PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
.build();
private static final PayloadGeneratorConfig WINDOWS_REFLECTIVE_RCE_CONFIG =
PayloadGeneratorConfig.newBuilder()
.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
Expand Down Expand Up @@ -250,6 +257,36 @@ public void checkIfExecuted_withJavaConfiguration_andIncorrectInput_returnsFalse
ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
}

@Test
public void getPayload_withJspConfiguration_returnsPrintfPayload() {
Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);

assertThat(payload.getPayload())
.isEqualTo(
"<% out.print(String.format(\"%s%s%s\",\"TSUNAMI_PAYLOAD_START\", \"ffffffffffffffff\","
+ " \"TSUNAMI_PAYLOAD_END\")); %>");
assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
}

@Test
public void checkIfExecuted_withJspConfiguration_andCorrectInput_returnsTrue() {
Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);

assertTrue(
payload.checkIfExecuted(
ByteString.copyFromUtf8(
"RANDOMOUTPUTTSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END")));
}

@Test
public void checkIfExecuted_withJspConfiguration_andIncorrectInput_returnsFalse() {
Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);

assertFalse(
payload.checkIfExecuted(
ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
}

@Test
public void getPayload_withSsrfConfiguration_returnsGooglePayload() {
Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
Expand Down
2 changes: 2 additions & 0 deletions proto/payload_generator.proto
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ message PayloadGeneratorConfig {
LINUX_ROOT_CRONTAB = 5;
// Payload is interpreted wihin a Windows shell environment
WINDOWS_SHELL = 6;
// Payload is interpreted within a JSP shell environment
JSP = 7;
}

// The actual runtime environment when the payload is run e.g. while a
Expand Down

0 comments on commit 6f0a8dc

Please sign in to comment.