Skip to content

Commit b1a90a3

Browse files
author
source
committed
bugfix Generate PoC
1 parent 3a97192 commit b1a90a3

File tree

7 files changed

+94
-114
lines changed

7 files changed

+94
-114
lines changed

release/YaguraExtender.jar

-318 Bytes
Binary file not shown.

src/yagura/external/TransUtil.java

Lines changed: 26 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
import java.nio.ByteBuffer;
1111
import java.nio.CharBuffer;
1212
import java.text.DecimalFormat;
13+
import java.text.Normalizer;
1314
import java.time.LocalDate;
1415
import java.time.format.DateTimeFormatter;
1516
import java.time.temporal.ChronoUnit;
@@ -475,6 +476,10 @@ public static byte[] UTF8Encode(String input, int bytes) {
475476
return byte_array.toByteArray();
476477
}
477478

479+
// public static String UTF8Decode(String input) {
480+
// return Normalizer.normalize(input, Normalizer.Form.NFKC);
481+
// }
482+
478483
public static String decodeUrl(String pString, String charset) throws UnsupportedEncodingException {
479484
return new String(decodeUrl(pString.getBytes("US-ASCII")), charset);
480485
}
@@ -586,27 +591,27 @@ public static String toByteOctEncode(String input, String charset, Pattern patte
586591
return toByteOctEncode(input.getBytes(charset), pattern, upperCase);
587592
}
588593

589-
public static String toHexEncode(String input, boolean upperCase) {
590-
return toHexEncode(input, PTN_ENCODE_ALPHANUM, upperCase);
591-
}
592-
593-
public static String toHexEncode(String input, Pattern pattern, boolean upperCase) {
594-
StringBuilder buff = new StringBuilder();
595-
for (int i = 0; i < input.length(); i++) {
596-
char c = input.charAt(i);
597-
Matcher m = pattern.matcher(new String(new char[]{c}));
598-
if (m.matches()) {
599-
if (upperCase) {
600-
buff.append(String.format("\\X%02X", (int) c));
601-
} else {
602-
buff.append(String.format("\\x%02x", (int) c));
603-
}
604-
} else {
605-
buff.append(c);
606-
}
607-
}
608-
return buff.toString();
609-
}
594+
// public static String toHexEncode(String input, boolean upperCase) {
595+
// return toHexEncode(input, PTN_ENCODE_ALPHANUM, upperCase);
596+
// }
597+
598+
// public static String toHexEncode(String input, Pattern pattern, boolean upperCase) {
599+
// StringBuilder buff = new StringBuilder();
600+
// for (int i = 0; i < input.length(); i++) {
601+
// char c = input.charAt(i);
602+
// Matcher m = pattern.matcher(new String(new char[]{c}));
603+
// if (m.matches()) {
604+
// if (upperCase) {
605+
// buff.append(String.format("\\X%02X", (int) c));
606+
// } else {
607+
// buff.append(String.format("\\x%02x", (int) c));
608+
// }
609+
// } else {
610+
// buff.append(c);
611+
// }
612+
// }
613+
// return buff.toString();
614+
// }
610615

611616
public static String toByteHexEncode(byte[] bytes, Pattern pattern, boolean upperCase) {
612617
StringBuilder buff = new StringBuilder();

src/yagura/view/GeneratePoCTab.form

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -192,7 +192,9 @@
192192
</Component>
193193
<Component class="javax.swing.JCheckBox" name="chkHtml5Binaly">
194194
<Properties>
195+
<Property name="selected" type="boolean" value="true"/>
195196
<Property name="text" type="java.lang.String" value="Binaly"/>
197+
<Property name="enabled" type="boolean" value="false"/>
196198
</Properties>
197199
</Component>
198200
<Component class="javax.swing.JSpinner" name="spnTime">

src/yagura/view/GeneratePoCTab.java

Lines changed: 47 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -177,7 +177,9 @@ public void stateChanged(javax.swing.event.ChangeEvent evt) {
177177
}
178178
});
179179

180+
chkHtml5Binaly.setSelected(true);
180181
chkHtml5Binaly.setText("Binaly");
182+
chkHtml5Binaly.setEnabled(false);
181183

182184
spnTime.setValue(1000);
183185

@@ -318,14 +320,15 @@ private void btnCopyClipbordActionPerformed(java.awt.event.ActionEvent evt) {//G
318320
private void btnGenerateActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_btnGenerateActionPerformed
319321
JTextComponent ta = this.txtGeneratorPoC;
320322
if (this.chkHtml5.isSelected()) {
321-
ta.setText(this.generateHtml5PoC());
323+
// ta.setText(this.generateHtml5PoC());
324+
ta.setText(this.generateHTML5PoC());
322325
} else {
323326
ta.setText(this.generatePoC());
324327
}
325328
}//GEN-LAST:event_btnGenerateActionPerformed
326329

327330
private void chkHtml5StateChanged(javax.swing.event.ChangeEvent evt) {//GEN-FIRST:event_chkHtml5StateChanged
328-
this.chkHtml5Binaly.setEnabled(this.chkHtml5.isSelected());
331+
// this.chkHtml5Binaly.setEnabled(this.chkHtml5.isSelected());
329332
}//GEN-LAST:event_chkHtml5StateChanged
330333

331334
private void chkAutoSubmitStateChanged(javax.swing.event.ChangeEvent evt) {//GEN-FIRST:event_chkAutoSubmitStateChanged
@@ -495,7 +498,6 @@ public String getSelectedText() {
495498
return selectText;
496499
}
497500

498-
//private final static Pattern ENCODE_JS = Pattern.compile("[^ !#-/0-9a-zA-Z]");
499501
private final static Pattern ENCODE_JS = Pattern.compile("[^ !#-&(-/0-Z\\[\\]^-~]");
500502

501503
private String generatePoC() {
@@ -613,8 +615,8 @@ else if (HttpUtil.isMaltiPart(contentType)) {
613615
}
614616
return buff.toString();
615617
}
616-
617-
private String generateHtml5PoC() {
618+
619+
private String generateHTML5PoC() {
618620
StringBuilder buff = new StringBuilder();
619621
try {
620622
boolean csrfAutoSubmit = this.chkAutoSubmit.isSelected();
@@ -659,29 +661,19 @@ private String generateHtml5PoC() {
659661
buff.append("<script type=\"text/javascript\">\n");
660662
buff.append("function html5_csrf() {\n");
661663
String boundary = HttpUtil.generateBoundary();
662-
buff.append("var xhr = new XMLHttpRequest();\r\n");
663-
buff.append(String.format("xhr.open('%s', '%s', true);\r\n", new Object[]{csrfFormMethod, TransUtil.encodeJsLangQuote(csrfUrl)}));
664-
buff.append("var req = new Array();\r\n");
664+
buff.append("\tvar xhr = new XMLHttpRequest();\r\n");
665+
buff.append(String.format("\txhr.open('%s', '%s', true);\r\n", new Object[]{csrfFormMethod, TransUtil.encodeJsLangQuote(csrfUrl)}));
666+
buff.append("\tvar req = '';\r\n");
665667
// csrf urlencoded/multipart
666668
if (!csrfTextPlain) {
667669
if (csrfMultiPart) {
668-
buff.append(String.format("var boundary = '--%s';\r\n", new Object[]{boundary}));
669-
buff.append("xhr.setRequestHeader( 'Content-Type','multipart/form-data; boundary=' + boundary);\r\n");
670-
// List<String> headers = requestInfo.getHeaders();
671-
// for (String header : headers) {
672-
// if (header.startsWith("X-")) {
673-
// KeyValuePair headerPair = HttpUtil.getHeader(header);
674-
// buff.append("xhr.setRequestHeader( '" + headerPair.getKey() + "','" + headerPair.getValue() + "');\r\n");
675-
// }
676-
// }
677-
// buff.append("xhr.withCredentials = true;\r\n"); // Cookieを付与
678-
buff.append("xhr.onreadystatechange = function(){};\r\n");
670+
buff.append(String.format("\tvar boundary = '--%s';\r\n", new Object[]{boundary}));
671+
buff.append("\txhr.setRequestHeader('Content-Type', 'multipart/form-data; boundary=' + boundary);\r\n");
679672
List<IParameter> parameters = requestInfo.getParameters();
680673
Logger.getLogger(GeneratePoCTab.class.getName()).log(Level.FINE, "parameters.length:{0}", parameters.size());
681674
boolean binaryParam = false;
682675
String filename = "";
683676
StringBuilder parambuff = new StringBuilder();
684-
int index = 0;
685677
for (int i = 0; i < parameters.size(); i++) {
686678
IParameter param = parameters.get(i);
687679
String paramName = param.getName();
@@ -691,69 +683,43 @@ private String generateHtml5PoC() {
691683
paramName = TransUtil.decodeUrl(paramName, csrfEncoding);
692684
paramValue = TransUtil.decodeUrl(paramValue, csrfEncoding);
693685
}
694-
else if (HttpUtil.isMaltiPart(contentType)) {
695-
paramName = Util.decodeMessage(Util.encodeMessage(paramName), csrfEncoding);
696-
if (!binaryParam) {
697-
paramValue = Util.decodeMessage(Util.encodeMessage(paramValue), csrfEncoding);
698-
}
699-
}
700686
if (paramType == IParameter.PARAM_URL || paramType == IParameter.PARAM_COOKIE) {
701687
continue;
702688
}
703689
if (paramType == IParameter.PARAM_BODY && !binaryParam) {
704690
if (parambuff.length() > 0) {
705691
parambuff.append(";\r\n");
706692
}
707-
parambuff.append("req[" + index++ + "] = '--' + boundary + '\\r\\n' + \r\n");
708-
parambuff.append(String.format("'Content-Disposition: form-data; name=\"%s\"\\r\\n\\r\\n' + \r\n", new Object[]{paramName}));
709-
String encodeJs = TransUtil.toHexEncode(paramValue, ENCODE_JS, false);
710-
parambuff.append(String.format("'%s\\r\\n'", new Object[]{encodeJs}));
693+
parambuff.append("\treq += '--' + boundary + '\\r\\n' + \r\n");
694+
parambuff.append(String.format("\t'Content-Disposition: form-data; name=\"%s\"\\r\\n\\r\\n' + \r\n", new Object[]{paramName}));
695+
String encodeHex = TransUtil.toByteHexEncode(Util.encodeMessage(paramValue), TransUtil.PTN_ENCODE_ALPHANUM, false);
696+
parambuff.append(String.format("\t'%s\\r\\n'", new Object[]{encodeHex}));
711697
} else if (paramType == IParameter.PARAM_MULTIPART_ATTR) {
712698
binaryParam = true;
713699
filename = paramValue;
714700
} else {
715701
if (parambuff.length() > 0) {
716702
parambuff.append(";\r\n");
717703
}
718-
parambuff.append("req[" + index++ + "] = '--' + boundary + '\\r\\n' + \r\n");
719-
parambuff.append(String.format("'Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\\r\\n' + \r\n", new Object[]{paramName, filename}));
720-
parambuff.append("'Content-Type: application/octet-stream\\r\\n\\r\\n'");
721-
if (csrfHtml5Binaly) {
722-
parambuff.append("; \r\n");
723-
parambuff.append("req[" + index++ + "] = new Uint8Array(" + TransUtil.toByteArrayJsEncode(Util.getRawByte(paramValue), false) + ");\r\n");
724-
parambuff.append("req[" + index++ + "] = '\\r\\n'");
725-
}
726-
else {
727-
parambuff.append("+ \r\n");
728-
String encodeJs = TransUtil.toHexEncode(paramValue, ENCODE_JS, false);
729-
parambuff.append(String.format("'%s\\r\\n'", new Object[]{encodeJs}));
730-
}
704+
parambuff.append("\treq += '--' + boundary + '\\r\\n' + \r\n");
705+
parambuff.append(String.format("\t'Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\\r\\n' + \r\n", new Object[]{paramName, filename}));
706+
parambuff.append("\t'Content-Type: application/octet-stream\\r\\n\\r\\n'");
707+
parambuff.append("+ \r\n");
708+
String encodeHex = TransUtil.toByteHexEncode(Util.encodeMessage(paramValue), TransUtil.PTN_ENCODE_ALPHANUM, false);
709+
parambuff.append(String.format("\t'%s\\r\\n'", new Object[]{encodeHex}));
731710
binaryParam = false;
732711
filename = "";
733712
}
734713
}
735714
parambuff.append(" + '--' + boundary + '--\\r\\n';\r\n");
736715
buff.append(parambuff.toString());
737-
StringBuilder argbuff = new StringBuilder();
738-
for (int i = 0; i < index; i++) {
739-
if (argbuff.length() > 0) {
740-
argbuff.append(",");
741-
}
742-
argbuff.append("req[").append(i).append("]");
743-
}
744-
buff.append("var blob = new Blob([").append(argbuff.toString()).append("]);\r\n");
745-
buff.append("xhr.send(blob);\r\n");
716+
buff.append("\tvar blob = new Uint8Array(req.length);\r\n");
717+
buff.append("\tfor (var i = 0; i < blob.length; i++)\r\n");
718+
buff.append("\t\tblob[i] = req.charCodeAt(i);\r\n");
719+
buff.append("\txhr.send(new Blob([blob]));\r\n");
746720
} else {
747-
buff.append("xhr.setRequestHeader( 'Content-Type','application/x-www-form-urlencoded');\r\n");
748-
// List<String> headers = requestInfo.getHeaders();
749-
// for (String header : headers) {
750-
// if (header.startsWith("X-")) {
751-
// KeyValuePair headerPair = HttpUtil.getHeader(header);
752-
// buff.append("xhr.setRequestHeader( '" + headerPair.getKey() + "','" + headerPair.getValue() + "');\r\n");
753-
// }
754-
// }
755-
buff.append("xhr.withCredentials = true;\r\n"); // Cookieを付与
756-
buff.append("xhr.onreadystatechange = function(){};\r\n");
721+
buff.append("\txhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');\r\n");
722+
buff.append("\txhr.withCredentials = true;\r\n"); // Cookieを付与
757723
List<IParameter> parameters = requestInfo.getParameters();
758724
Logger.getLogger(GeneratePoCTab.class.getName()).log(Level.FINE, "parameters.size:{0}", parameters.size());
759725
boolean binaryParam = false;
@@ -763,37 +729,41 @@ else if (HttpUtil.isMaltiPart(contentType)) {
763729
String paramName = param.getName();
764730
String paramValue = param.getValue();
765731
byte paramType = param.getType();
732+
// if (HttpUtil.isUrlEencoded(contentType)) {
733+
// paramName = TransUtil.decodeUrl(paramName, csrfEncoding);
734+
// paramValue = TransUtil.decodeUrl(paramValue, csrfEncoding);
735+
// }
766736
if (paramType == IParameter.PARAM_URL || paramType == IParameter.PARAM_COOKIE) {
767737
continue;
768738
}
769739
if (paramType == IParameter.PARAM_BODY && !binaryParam) {
770-
buff.append("req[0] = req[0]");
740+
buff.append("\treq += ");
771741
if (!first) {
772742
buff.append(" + '&'");
773743
}
774-
buff.append(String.format(" + '%s' + '=' + '%s';\r\n",
744+
buff.append(String.format("'%s' + '=' + '%s';\r\n",
775745
new Object[]{TransUtil.encodeJsLangQuote(paramName),
776746
TransUtil.encodeJsLangQuote(paramValue)}));
777747
first = false;
778748
} else if (paramType == IParameter.PARAM_MULTIPART_ATTR) {
779749
binaryParam = true;
780750
}
781751
}
782-
buff.append("xhr.send(req[0]);\r\n");
752+
buff.append("\tvar blob = new Uint8Array(req.length);\r\n");
753+
buff.append("\tfor (var i = 0; i < blob.length; i++)\r\n");
754+
buff.append("\t\tblob[i] = req.charCodeAt(i);\r\n");
755+
buff.append("\txhr.send(new Blob([blob]));\r\n");
783756
}
784757
} // csrf textplain
785758
else {
786-
buff.append(String.format("xhr.setRequestHeader( 'Content-Type','%s');\r\n", csrfEnctype));
787-
buff.append("xhr.withCredentials = true;\r\n"); // Cookieを付与
788-
buff.append("xhr.onreadystatechange = function(){};\r\n");
759+
buff.append(String.format("\txhr.setRequestHeader('Content-Type', '%s');\r\n", csrfEnctype));
760+
buff.append("\txhr.withCredentials = true;\r\n"); // Cookieを付与
789761
String paramValue = Util.decodeMessage(reqmsg.getBodyBytes());
790-
if (csrfHtml5Binaly) {
791-
buff.append("req[0] = new Uint8Array(" + TransUtil.toByteArrayJsEncode(Util.getRawByte(paramValue), false) + ");");
792-
}
793-
else {
794-
buff.append(String.format("req[0] = '%s';\r\n", new Object[]{TransUtil.toHexEncode(paramValue, ENCODE_JS, false)}));
795-
}
796-
buff.append("xhr.send(req[0]);\r\n");
762+
buff.append(String.format("\treq += '%s';\r\n", new Object[]{TransUtil.toByteHexEncode(Util.getRawByte(paramValue), ENCODE_JS, false)}));
763+
buff.append("\tvar blob = new Uint8Array(req.length);\r\n");
764+
buff.append("\tfor (var i = 0; i < blob.length; i++)\r\n");
765+
buff.append("\t\tblob[i] = req.charCodeAt(i);\r\n");
766+
buff.append("\txhr.send(new Blob([blob]));\r\n");
797767
}
798768
buff.append("}\n");
799769
buff.append("</script></head>\n");
@@ -814,7 +784,8 @@ else if (HttpUtil.isMaltiPart(contentType)) {
814784
}
815785
return buff.toString();
816786
}
817-
787+
788+
818789
public void clearView() {
819790
this.quickSearchTab.clearView();
820791
}

0 commit comments

Comments
 (0)