Chetan Conikee conikeec
conikeec
/ s1.java
Last active
April 24, 2020 00:35
Derived from https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @RequestMapping(value={"/upload/patch"}, method={RequestMethod.POST}) | |
| public A3StatusBean uploadPatch( | |
| .... | |
| @RequestParam(value="accessToken") String accessToken | |
| @RequestParam(value="file") String file,) { | |
| (...) | |
| FILE = [file] | |
| //SaveToPath |
conikeec
/ searchjars
Created
January 6, 2020 02:17
— forked from cpeisert/searchjars
Bash script to search Jar files. Each archived file is searched for the specified string.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #Suggested file name: searchjars | |
| if [[ $1 = "-h" || $1 = "--help" ]] | |
| then | |
| echo "Usage: $0 [STRING] [DIRECTORY]..." | |
| echo "Search DIRECTORY(s) for Jar files. For each Jar, search the archived" | |
| echo "files for STRING." | |
| echo "" | |
| echo "Default directory path is the current directory. Multiple directory " |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //define the source function and attacker controlled vector (which is the email address parameter) | |
| val source = cpg.method.fullNameExact("org.baeldung.web.controller.RegistrationController.resetPasswordBad:org.baeldung.web.util.GenericResponse(javax.servlet.http.HttpServletRequest,java.lang.String)").parameter.evalType("java.lang.String") | |
| //define email channel sink function name | |
| val EMAIL_CHANNEL_SINK="org.springframework.mail.javamail.JavaMailSender.send:void(org.springframework.mail.SimpleMailMessage)" | |
| //define the sink function that participates in the data flow | |
| val sink = cpg.method.fullNameExact(EMAIL_CHANNEL_SINK).parameter.evalType("java.lang.String") | |
| // Verify BUSINESS LOGIC FLAW check to determine if attack controller vector (email) is used in emailSend function, rather than the registered user email (determined after fetch from DB in step #1) |
conikeec
/ step_two.scala
Last active
December 17, 2019 07:12
GitHub's password reset flaw emulation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //define the source function and attacker controlled vector (which is the email address parameter) | |
| val source = cpg.method.fullNameExact("org.baeldung.web.controller.RegistrationController.resetPasswordBad:org.baeldung.web.util.GenericResponse(javax.servlet.http.HttpServletRequest,java.lang.String)").parameter.evalType("java.lang.String") | |
| // The DB lookup function is a part of the IUserService interface, implemented by UserService here https://github.com/conikeec/spring-security-registration/blob/master/src/main/java/org/baeldung/service/UserService.java#L136 | |
| val DB_LOOKUP_FN_EXPR = ".*findUserByEmail.*" | |
| //define the sink function that participates in the data flow | |
| val sink = cpg.method.name(DB_LOOKUP_FN_EXPR).parameter.evalType("java.lang.String") | |
| // Verify BUSINESS LOGIC FLAW check to determine if attack controller vector (email) is caseFolded prior to DB lookup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| git clone git@github.com:conikeec/spring-security-registration.git | |
| cd spring-security-registration | |
| //compile and create package artifact | |
| mvn -Dmaven.test.skip=true clean package | |
| // Download trial distribution of Ocular (https://ocular.shiftleft.io). Install and thereafter fire up the prompt to commence investigation | |
| ./ocular.sh |
conikeec
/ goals.json
Created
November 29, 2019 17:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "results": [ | |
| { | |
| "verifyingFunction": "WebSecurityConfigurerAdapterEnabled", | |
| "configured": true, | |
| "coordinates": [ | |
| [ | |
| { | |
| "name": "org.conikee.rest.config.SecurityConfig.configure:void(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder)", | |
| "fileName": "org/conikee/rest/config/SecurityConfig.java", |
conikeec
/ results.json
Created
November 7, 2019 04:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name" : "@SensitiveRedact", | |
| "modelName" : "io.shiftleft.tarpit.model.Order", | |
| "members" : [ | |
| "creditCardNumber" | |
| ], | |
| "baseTypes" : [ | |
| "Object" | |
| ], | |
| "isToStringOverriden" : true, |
conikeec
/ ocular.scala
Created
November 7, 2019 04:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| git clone git@github.com:conikeec/tarpit.git | |
| cd tarpit | |
| mvn clean compile | |
| // Download trial distribution of Ocular. Install and thereafter fire up the prompt to commence investigation | |
| ./ocular.sh |
conikeec
/ gist:ed160ef13550e458e4619fa56ee6ce88
Last active
October 10, 2019 23:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Clone and build the project | |
| git clone git@github.com:conikeec/tarpit.git | |
| cd tarpit | |
| mvn clean compile | |
| // Download trial distribution of Ocular. Install and thereafter fire up the prompt to commence investigation |
conikeec
/ gist:add8a98ed80bc38c4c190008b0497caa
Last active
October 10, 2019 18:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| val source = serverCpg.method.name("wrapStream").methodReturn | |
| val sink = serverCpg.method.fullName(".*ObjectInputStream.*readObject.*").parameter | |
| val exploitiveFlow = sink.reachableBy(source).flows.p | |
| [main] INFO mainTasksSize: 1, reachedEndNode: 1, | |
| res16: List[String] = List( | |
| """ ________________________________________________________________________________________________________________________________________ | |
| | tracked | lineNumber| method | file | |