New gadgets (Struts2JasperReports - Atomikos - SpringJta) #123
Conversation
sciccone
changed the title
| } | ||
|
|
||
| @Override | ||
| public Object call () throws Exception { |
There was a problem hiding this comment.
Is there a reason this context setup needs to be in a custom Deserializer class as opposed to just being in beginning of the payload getObject() implementation?
There was a problem hiding this comment.
I have tried to put it within the getObject implementation, and if I run the main in the payload class works. But, when I run the complete tests, it seems the deserialisation appears in a different thread where the ActionContext has not been initialised. So, I created a custom Deserializer for doing that.
There was a problem hiding this comment.
Hi @frohoff, do you have updates on merging this branch? Are there any problems?
There was a problem hiding this comment.
No problems, just been super busy. Still hope to review more and merge. Thanks.
* CommonsCollections8 payload (#116) * New gadgets (Struts2JasperReports - Atomikos - SpringJta) (#123) * added Atomikos gadget payload * added Atomikos gadget payload * naming * added spring-jta gadget * added strutsJasperReports gadget + tests * updated deps list on springJta * fixed authors * renaming * Add new payload in Commons Collections 3.2.1 (#125) * Add Jython2 gadget (#135) This version of Jython2 executes a command through os.system(). Based on Jython1 from @pwntester & @cschneider4711 Co-authored-by: Chris Frohoff <chris@frohoff.org> * Add scala and clojure payloads from a couple of years ago (#137) * Add some payloads for Scala * Add new clojure payload effecting versions since 1.8.0 * Fix infinite loop behavior of clojure2 payload. * add CommonsBeanutils2 (#163) * ceylon gadget (#173) Co-authored-by: navalorenzo <34750199+navalorenzo@users.noreply.github.com> Co-authored-by: Stefano Ciccone <sciccone@gdssecurity.com> Co-authored-by: 梅子酒 <960596293@qq.com> Co-authored-by: Yorick Koster <ykoster@users.noreply.github.com> Co-authored-by: Ian Haken <ihaken@netflix.com> Co-authored-by: k4n5ha0 <9199771@qq.com> Co-authored-by: supersache <42678777+supersache@users.noreply.github.com>
Hi,
first big kudos for your outstanding research/work, I have used it in innumerable contexts and it was amazing.
I would like to add some gadget chains I have coded to the tool, if you agree:
Struts2JasperReports. It's a gadget chain in the jasperreports plugin of struts2, which use a combination of Java deserialisation and OGNL evaluation. I have discovered it and coded the payload.
Atomikos. It's a gadget chain ending with a JNDI lookup, already mentioned in some published research for JSON attacks (kudos to @pwntester). I tuned it a bit and coded the payload.
SpringJta. It's a deserialised JNDI lookup, based on the work of @zerothoughts. I just coded the payload.