Related articles of tag: «java gadgets» — Programmer Sought

Related articles of tag: "java gadgets" - Programmer Sought Гаджет

Building

Assuming you have a JDK installed on your system, you should be able to just run ./gradlew shadowJar. You can then run the application with java -jar build/libs/gadget-inspector-all.jar <args>.

Example

The following is an example from running against commons-collections-3.2.1.jar, e.g. with

In gadget-chains.txt there is the following chain:

com/sun/corba/se/spi/orbutil/proxy/CompositeInvocationHandlerImpl.invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object; (-1)
  com/sun/corba/se/spi/orbutil/proxy/CompositeInvocationHandlerImpl.invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object; (0)
  org/apache/commons/collections/map/DefaultedMap.get(Ljava/lang/Object;)Ljava/lang/Object; (0)
  org/apache/commons/collections/functors/InvokerTransformer.transform(Ljava/lang/Object;)Ljava/lang/Object; (0)
  java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)

The entry point of this chain is an implementation of the JDK InvocationHandler class. Using the same trick as in the original commons-collections gadget chain, any serializable implementation of this class is reachable in a gadget chain, so the discovered chain starts here.

This method invokes classToInvocationHandler.get(). The discovered gadget chain indicates that the classToInvocationHandler can be serialized as a DefaultedMap so that the this invocation jumps to DefaultedMap.get().

The next step in the chain invokes value.transform() from this method. The parameter value in this class can be serialized as a InvokerTransformer. Inside this class’s transform method we see that we call cls.

Gadget inspector

This project inspects Java libraries and classpaths for gadget chains. Gadgets chains are used to construct exploits for deserialization vulnerabilities. By automatically discovering possible gadgets chains in an application’s classpath penetration testers can quickly construct exploits and application security engineers can assess the impact of a deserialization vulnerability and prioritize its remediation.

This project was presented at Black Hat USA 2021. Learn more about it there! (Links pending)

DISCLAIMER: This project is alpha at best. It needs tests and documentation added. Feel free to help by adding either!

Гаджет:  Умный набор Gyenno Bravo Twist, ложка вилка (TC200) - купить умное устройство GYENNO Bravo Twist, ложка вилка (TC200) по выгодной цене в интернет-магазине ЭЛЬДОРАДО с доставкой в Москве и регионах России

How to use

This application expects as argument(s) either a path to a war file (in which case the war will be exploded and all of its classes and libraries used as a classpath) or else any number of jars.

Note that the analysis can be memory intensive (and so far gadget inspector has not been optimized at all to be less memory greedy). For small libraries you probably want to allocate at least 2GB of heap size (i.e. with the -Xmx2G flag).

The toolkit will go through several stages of classpath inspection to build up datasets for use in later stages. These datasets are written to files with a .dat extension and can be discarded after your run (they are written mostly so that earlier stages can be skipped during development).

After the analysis has run the file gadget-chains.txt will be written.

Other examples

If you’re looking for more examples of what kind of chains this tool can find, the following libraries also have some interesting results:

Don’t forget that you can also point gadget inspector at a complete application (packaged as a JAR or WAR). For example, when analyzing the war for the Zksample2 application we get the following gadget chain:

net/sf/jasperreports/charts/design/JRDesignPieDataset.readObject(Ljava/io/ObjectInputStream;)V (1)
  org/apache/commons/collections/FastArrayList.add(Ljava/lang/Object;)Z (0)
  java/util/ArrayList.clone()Ljava/lang/Object; (0)
  org/jfree/data/KeyToGroupMap.clone()Ljava/lang/Object; (0)
  org/jfree/data/KeyToGroupMap.clone(Ljava/lang/Object;)Ljava/lang/Object; (0)
  java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)

As you can see, this utilizes several different libraries contained in the application in order to build up the chain.

PDF to DOC Some of the technical documents were shared with me before, but they were in PDF. I want to convert it into a DOC file and do editing. I found that there are many charges on the Internet, a…

Гаджет:  Приложения для знакомств с иностранцами — ТОП 15 лучших
more…

more…

Related articles of tag: "java gadgets" - Programmer Sought
When using Intellij for development, you can directly start Spring Application, and then modify the code, it can be restarted automatically without stopping, packaging, and running. Add a dependency i…

more…

Related articles of tag: "java gadgets" - Programmer Sought
Currently, there are two popular java open source libraries for reading and writing Excel, one is poi and the other is javaExcel (jxl). POI is a sub-project of apache company, which mainly provides a …

more…

Let’s take a look at how simple it is: A simple interface: A simple tool class: Start eating directly:…

more…

 …

more…

more…

Can be used to assist verification code module…

more…

QR code generation and analysis 1. Generate a QR code 2. Parse the QR code Three, generate one-dimensional code Four, all codes Five, pom dependency Directly on the code: 1. Generate a QR code 2. Anal…

more…

Related articles of tag: "java gadgets" - Programmer Sought
Remembrance, love, funny, confess the wrong family, friends, celebrities to accompany office Traceability story I’m an introvert and don’t like to talk, and my girlfriend is especially good at Inner M…

more…

Related articles of tag: "java gadgets" - Programmer Sought
Online seat selection on web Online seat selection system based on jquery.seat-charts 1. Customize the seat layout in the backstage 2. Realization of front desk seat selection Online seat selection sy…

more…

In daily GIS development, it is inevitable that some shapefile data will be read and stored in the database. The first thing that many people think of is the open source Java code library that uses Ge…

more…

Related articles of tag: "java gadgets" - Programmer Sought
Countdown software demand Software introduction Features Countdown time can be flexibly configured The longest countdown support to: 59 hours 59 minutes 59 seconds Countdown strategy can be flexibly c…

Гаджет:  Недорогие и полезные товары с AliExpress: мини-дрель, мультиметр, ик-порт для смартфона и другие
more…

When I first came into contact with the development of the interface, I was vague about how to splice the JSON format. With the help of the company’s colleagues, I gradually became familiar with…

more…

A little forward Common components of POI PPT In POI, several objects we often use are as follows: SlideShow corresponds to the entire PPT file Slide corresponds to a page of PPT Shape is more achieva…

more…
Оцените статью
GadgetManiac
Добавить комментарий