diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0f8d949 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.idea +build +.gradle \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..8d1a542 --- /dev/null +++ b/README.md @@ -0,0 +1,25 @@ +# 🔥 T4scan +A burp plugin for text4shell passive scan + +## 📦How to install +### ⏬Download +You can download complied jar from release or build from source. +### 🔨Build from source +First clone the project +``` +git clone https://github.com/YulinSec/t4scan +``` +Then open it by IDEA, run task fatJar in build.gradle +![images](images/fatjar.png) +You can find compiled jar in build/libs/t4scan-all-1.0-SNAPSHOT.jar +![images](images/output.png) +### 🚀Install to burp +Install this plugin as a java plugin in extender panel. + +## 🔮Images +After t4scan installed, it will automatically get http request sent by burp, and inject payloads to find text4shell, including echo and dns. +You can find urls scanned in stdout of t4scan. +![images](images/stdout.png) +When it found a text4shell, it will alert an issue. +![images](images/issue.png) +For more details, please to and look at source code. \ No newline at end of file diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000..eff9d81 --- /dev/null +++ b/build.gradle @@ -0,0 +1,30 @@ +plugins { + id 'java' +} + +group 'org.example' +version '1.0-SNAPSHOT' + +repositories { + mavenCentral() +} + +dependencies { + implementation 'net.portswigger.burp.extender:burp-extender-api:1.7.13' + // https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 + implementation 'org.apache.commons:commons-lang3:3.12.0' + testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.1' + testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.1' +} + + +task fatJar(type: Jar) { + baseName = project.name + '-all' + duplicatesStrategy = DuplicatesStrategy.EXCLUDE + from { configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) } } + with jar +} + +test { + useJUnitPlatform() +} \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000..41d9927 Binary files /dev/null and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..41dfb87 --- /dev/null +++ b/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.4-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew new file mode 100755 index 0000000..1b6c787 --- /dev/null +++ b/gradlew @@ -0,0 +1,234 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit + +APP_NAME="Gradle" +APP_BASE_NAME=${0##*/} + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..ac1b06f --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,89 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/images/fatjar.png b/images/fatjar.png new file mode 100644 index 0000000..d95a3da Binary files /dev/null and b/images/fatjar.png differ diff --git a/images/issue.png b/images/issue.png new file mode 100644 index 0000000..15e1104 Binary files /dev/null and b/images/issue.png differ diff --git a/images/output.png b/images/output.png new file mode 100644 index 0000000..1e31eb5 Binary files /dev/null and b/images/output.png differ diff --git a/images/stdout.png b/images/stdout.png new file mode 100644 index 0000000..a9f0440 Binary files /dev/null and b/images/stdout.png differ diff --git a/settings.gradle b/settings.gradle new file mode 100644 index 0000000..d6fd214 --- /dev/null +++ b/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 't4scan' + diff --git a/src/main/java/burp/BurpExtender.java b/src/main/java/burp/BurpExtender.java new file mode 100644 index 0000000..11eb89b --- /dev/null +++ b/src/main/java/burp/BurpExtender.java @@ -0,0 +1,264 @@ +package burp; + +import org.apache.commons.lang3.RandomStringUtils; + +import java.io.PrintWriter; +import java.net.URL; +import java.net.URLEncoder; +import java.util.ArrayList; +import java.util.List; + +import static java.lang.Thread.sleep; + +public class BurpExtender implements IBurpExtender, IScannerCheck { + private String extensionName = "T4scan"; + private String version = "v0.0.1"; + private PrintWriter stdout; + private PrintWriter stderr; + private IBurpExtenderCallbacks callbacks; + private IExtensionHelpers helpers; + + @Override + public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { + this.callbacks = callbacks; + callbacks.setExtensionName(extensionName + "@" + version); + callbacks.registerScannerCheck(this); + helpers = callbacks.getHelpers(); + stdout = new PrintWriter(callbacks.getStdout(), true); + stderr = new PrintWriter(callbacks.getStderr(), true); + stdout.println("success loaded"); + } + + @Override + public List doPassiveScan(IHttpRequestResponse baseRequestResponse) { + + byte[] baseRequest = baseRequestResponse.getRequest(); + IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); + stdout.println("passive scan: " + requestInfo.getUrl()); + + List insertionPoints = new ArrayList<>(); + List parameters = requestInfo.getParameters(); + for (IParameter parameter : parameters) { + IScannerInsertionPoint insertionPoint = helpers.makeScannerInsertionPoint(parameter.getName(), + baseRequest, + parameter.getValueStart(), + parameter.getValueEnd()); + insertionPoints.add(insertionPoint); + } + + for (IScannerInsertionPoint insertionPoint : insertionPoints) { + Runnable dns = new CheckDNS(baseRequestResponse, requestInfo, insertionPoint); + dns.run(); + } + + String key1 = RandomStringUtils.random(5, true, true); + String value1 = RandomStringUtils.random(5, true, true); + String key2 = RandomStringUtils.random(5, true, true); + String value2 = RandomStringUtils.random(5, true, true); + String inject = String.format("${%s:-%s}${%s:-%s}", key1, value1, key2, value2); + String pattern = String.format("%s%s", value1, value2); + + for (IScannerInsertionPoint insertionPoint : insertionPoints) { + + byte[] rawRequest = insertionPoint.buildRequest(inject.getBytes()); + Runnable rawEcho = new CheckEcho(baseRequestResponse, requestInfo, rawRequest, pattern.getBytes()); + rawEcho.run(); + + byte[] encodedInject; + try { + encodedInject = URLEncoder.encode(inject, "UTF-8").getBytes(); + } catch (Exception e) { + throw new RuntimeException(e); + } + + byte[] encodedRequest = insertionPoint.buildRequest(encodedInject); + Runnable encodedEcho = new CheckEcho(baseRequestResponse, requestInfo, encodedRequest, pattern.getBytes()); + encodedEcho.run(); + } + return null; + } + + @Override + public List doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { + return null; + } + + @Override + public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) { + return 0; + } + + // helper method to search a response for occurrences of a literal match string + // and return a list of start/end offsets + private List getMatches(byte[] response, byte[] match) { + List matches = new ArrayList(); + + int start = 0; + while (start < response.length) { + start = helpers.indexOf(response, match, true, start, response.length); + if (start == -1) + break; + matches.add(new int[]{start, start + match.length}); + start += match.length; + } + + return matches; + } + + class CheckDNS implements Runnable { + IHttpRequestResponse baseRequestResponse; + IRequestInfo requestInfo; + IScannerInsertionPoint insertionPoint; + + public CheckDNS(IHttpRequestResponse baseRequestResponse, IRequestInfo requestInfo, IScannerInsertionPoint insertionPoint) { + this.baseRequestResponse = baseRequestResponse; + this.requestInfo = requestInfo; + this.insertionPoint = insertionPoint; + } + + @Override + public void run() { + IBurpCollaboratorClientContext context = callbacks.createBurpCollaboratorClientContext(); + String payload = context.generatePayload(true); + String inject = String.format("${dns:address|%s}",payload); + byte[] request = insertionPoint.buildRequest(inject.getBytes()); + IHttpService httpService = baseRequestResponse.getHttpService(); + IHttpRequestResponse requestResponse = callbacks.makeHttpRequest(httpService, request); + byte[] encodedInject; + try { + encodedInject = URLEncoder.encode(inject, "UTF-8").getBytes(); + } catch (Exception e) { + throw new RuntimeException(e); + } + request = insertionPoint.buildRequest(encodedInject); + IHttpRequestResponse encodedRequestResponse = callbacks.makeHttpRequest(httpService, request); + + try { + sleep(10000); + List interactions = context.fetchCollaboratorInteractionsFor(payload); + if (interactions.size() > 0) { + IScanIssue iScanIssue = new CustomScanIssue(httpService, + requestInfo.getUrl(), + new IHttpRequestResponse[]{requestResponse, encodedRequestResponse}, + "text4shell", + "CVE-2022-42889, aka “Text4Shell”, is a vulnerability in the popular Java library “Apache Commons Text” which can result in arbitrary code execution when processing malicious input.", + "High"); + callbacks.addScanIssue(iScanIssue); + } + } catch (Exception e) { + throw new RuntimeException(e); + } + } + } + + + class CheckEcho implements Runnable { + IHttpRequestResponse baseRequestResponse; + IRequestInfo requestInfo; + byte[] request; + byte[] pattern; + + public CheckEcho(IHttpRequestResponse baseRequestResponse, IRequestInfo requestInfo, byte[] request, byte[] pattern) { + this.baseRequestResponse = baseRequestResponse; + this.requestInfo = requestInfo; + this.request = request; + this.pattern = pattern; + } + + @Override + public void run() { + IHttpService httpService = baseRequestResponse.getHttpService(); + IHttpRequestResponse requestResponse = callbacks.makeHttpRequest(httpService, request); + List matches = getMatches(requestResponse.getResponse(), pattern); + if (matches.size() > 0) { + IScanIssue iScanIssue = new CustomScanIssue(httpService, + requestInfo.getUrl(), + new IHttpRequestResponse[]{callbacks.applyMarkers(requestResponse, null, matches)}, + "text4shell", + "CVE-2022-42889, aka “Text4Shell”, is a vulnerability in the popular Java library “Apache Commons Text” which can result in arbitrary code execution when processing malicious input.", + "High"); + callbacks.addScanIssue(iScanIssue); + } + } + } + + class CustomScanIssue implements IScanIssue { + private IHttpService httpService; + private URL url; + private IHttpRequestResponse[] httpMessages; + private String name; + private String detail; + private String severity; + + public CustomScanIssue( + IHttpService httpService, + URL url, + IHttpRequestResponse[] httpMessages, + String name, + String detail, + String severity) { + this.httpService = httpService; + this.url = url; + this.httpMessages = httpMessages; + this.name = name; + this.detail = detail; + this.severity = severity; + } + + + @Override + public URL getUrl() { + return url; + } + + @Override + public String getIssueName() { + return name; + } + + @Override + public int getIssueType() { + return 0; + } + + @Override + public String getSeverity() { + return severity; + } + + @Override + public String getConfidence() { + return "Certain"; + } + + @Override + public String getIssueBackground() { + return null; + } + + @Override + public String getRemediationBackground() { + return null; + } + + @Override + public String getIssueDetail() { + return detail; + } + + @Override + public String getRemediationDetail() { + return null; + } + + @Override + public IHttpRequestResponse[] getHttpMessages() { + return httpMessages; + } + + @Override + public IHttpService getHttpService() { + return httpService; + } + } +}