t0176bf4ddc7342eb79

探索 解码 销毁

GWT渗透测试工具包Originale版本是从GDSSecurity(演变而来)。GDSSecurity是一套渗透测试辅助工具,在年前最后更新了一次之后它就不更新了,由此出现了Originale版本。

这个工具的新版本和之前的版本使用相同的解析算法,但现在由GWT发布版本更新。目前的版本相对之前有了更多的选项更高地可用性,也修复了之前版本大量的BUG。支持Python 2 和Python 3 (文档中使用Python 3)。

GWT有两种类型的用法:枚举JAVA(服务端)方法和参数以及解码:

 

$ python3 gwt.py --help
usage: gwt.py [-h] [--verbose] [--debug] {enum,en,e,decode,de,dcd,dec,d} ...
GWT pentest tool
optional arguments:
  -h, --help            show this help message and exit
  --verbose             Verbose mode
  --debug               Debug mode
Actions:
  Possible actions
  {enum,en,e,decode,de,dcd,dec,d}
                        Actions that can be performed by the tool
    enum (en, e)        Enumerates all Java methods with their associated
                        parameters
    decode (de, dcd, dec, d)
                        Decodes a [set of] GWT RPC request(s)

 

 

 

这个工具的新版本和之前的版本使用相同的解析算法,但现在由GWT发布版本更新。目前的版本相对之前有了更多的选项更高地可用性,也修复了之前版本大量的BUG。支持Python

示例:

 

$ python3 gwt.py enum --help
usage: gwt.py enum [-h] -u URL [-p PROXY] [-b BASICAUTH] [-c COOKIES]
                   [-o OUTPUT]
Possible options
optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     URL of the nocache.js file
  -p PROXY, --proxy PROXY
                        Proxy host and port (i.e.: "http://localhost:8080")
  -b BASICAUTH, --basicauth BASICAUTH
                        Basic authentication credentials
  -c COOKIES, --cookies COOKIES
                        Cookies to use to get the JS files
  -o OUTPUT, --output OUTPUT
                        Absolute path were to store all parsed requests
                        (default "stdout")

 

示例

 

$ python3 gwt.py enum -u "https://site.com/plop.nocache.js?3790"
This can take a very long time (like 3-4mn)
AppletImportRpc.getAppletProperties()
AppletImportRpc.getJavascriptProperties()
AuthorizationRpc.getAuthorizations()
[...]
UserRpc.setNewPwd(java.lang.Integer, java.lang.String, java.lang.String)
UserRpc.setNewPwd(java.lang.Integer, java.lang.String, java.lang.String, java.lang.String)
UserRpc.storeMetamodelForImport(com.site.client.transport.media.CustomMetamodelTransport)

$ python3 gwt.py enum -u "https://site.com/plop.nocache.js?3790" -o test.txt
This can take a very long time (like 3-4mn)
Output saved to test.txt

 

示例请求解析

 

$ python3 gwt.py decode --help
usage: gwt.py decode [-h] -i INPUT [-s SURROUND] [-r REPLACE] [-b] [-p]
                     [-o OUTPUT] [-m METHODS] [-f]
Possible options
optional arguments:
  -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        The RPC request payload or Burp log file
  -s SURROUND, --surround SURROUND
                        Surrounds fuzzable parameters by a given string
  -r REPLACE, --replace REPLACE
                        Replaces fuzzable parameters by a given string
  -b, --burp            Surrounds fuzzable parameters by Burp Intruder
                        characters
  -p, --pretty          Human readable formatting of the request
  -o OUTPUT, --output OUTPUT
                        Absolute path were to store all parsed requests
                        (default "stdout")
  -m METHODS, --methods METHODS
                        You can specify a file were all Java methods are
                        enumerated (line separated).This file can be obtained
                        by running the "enum" script
  -f, --fuzz            Outputs only fuzzable strings

 

示例

 $ python3 gwt.py decode -i "4ï¿¿0ï¿¿6ï¿¿https://site.com/ï¿¿C33C748610876DA5ACE277F0EA893A44ï¿¿com.site.client.rpc.MediaRpcï¿¿getMediaHiresHttpPathï¿¿java.lang.Integerï¿¿java.lang.Integer/3438268394ï¿¿1ï¿¿2ï¿¿3ï¿¿4ï¿¿1ï¿¿5ï¿¿6ï¿¿123ï¿¿"
 
 Original request:
4ï¿¿0ï¿¿6ï¿¿https://site.com/ï¿¿C33C748610876DA5ACE277F0EA893A44ï¿¿com.site.client.rpc.MediaRpcï¿¿getMediaHiresHttpPathï¿¿java.lang.Integerï¿¿java.lang.Integer/3438268394ï¿¿1ï¿¿2ï¿¿3ï¿¿4ï¿¿1ï¿¿5ï¿¿6ï¿¿123ï¿¿
Resulting fuzzing string:
4|0|6|https://site.com/|C33C748610876DA5ACE277F0EA893A44|com.site.client.rpc.MediaRpc|getMediaHiresHttpPath|java.lang.Integer|java.lang.Integer/3438268394|1|2|3|4|1|5|6|%d|
$ python3 gwt.py decode -i "4ï¿¿0ï¿¿11ï¿¿https://site.com/ï¿¿C33C748610876DA5ACE277F0EA893A44ï¿¿com.site.client.rpc.UserRpcï¿¿findActivatedUsersByProfileIdï¿¿java.lang.Integerï¿¿Iï¿¿java.lang.Stringï¿¿java.lang.Integer/3438268394ï¿¿pwdï¿¿ASCï¿¿nadminï¿¿1ï¿¿2ï¿¿3ï¿¿4ï¿¿6ï¿¿5ï¿¿6ï¿¿6ï¿¿7ï¿¿7ï¿¿7ï¿¿8ï¿¿1ï¿¿0ï¿¿100ï¿¿9ï¿¿10ï¿¿11ï¿¿" -m "~/available_methods.txt" -b
 
Original request:
4ï¿¿0ï¿¿11ï¿¿https://site.com/ï¿¿C33C748610876DA5ACE277F0EA893A44ï¿¿com.site.client.rpc.UserRpcï¿¿findActivatedUsersByProfileIdï¿¿java.lang.Integerï¿¿Iï¿¿java.lang.Stringï¿¿java.lang.Integer/3438268394ï¿¿pwdï¿¿ASCï¿¿nadminï¿¿1ï¿¿2ï¿¿3ï¿¿4ï¿¿6ï¿¿5ï¿¿6ï¿¿6ï¿¿7ï¿¿7ï¿¿7ï¿¿8ï¿¿1ï¿¿0ï¿¿100ï¿¿9ï¿¿10ï¿¿11ï¿¿
 
Equivalent Java method call:
UserRpc.findActivatedUsersByProfileId(java.lang.Integer 1, I 0, I 100, java.lang.String pwd, java.lang.String ASC, java.lang.String nadmin)
 
Resulting fuzzing string:
4|0|11|https://site.com/|C33C748610876DA5ACE277F0EA893A44|com.site.client.rpc.UserRpc|findActivatedUsersByProfileId|java.lang.Integer|I|java.lang.String|java.lang.Integer/3438268394|§pwd§|§ASC§|§nadmin§|1|2|3|4|6|5|6|6|7|7|7|8|§1§|§0§|§100§|9|10|11|
$ python3 decode -i "/home/miaouplop/security/web/burp/logs/requests.log" -o "plop.txt" -f -b
 
Encountered Error During Parsing with request:
4|0|14|https://site.com/|C33C748610876DA5ACE277F0EA893A44|com.site.client.rpc.TreeRpc|getThumbnailsDatas|java.lang.String|java.lang.Integer|java.lang.Boolean|I|Z|[Ljava.lang.String;|jxtrh8ts-1413979603637|java.lang.Integer/3438268394|java.lang.Boolean/476441737|creationDate|1|2|3|4|9|5|6|7|8|8|5|9|10|7|11|12|-1|13|0|0|60|14|0|0|0|
 
Encountered Error During Parsing with request:
4|0|14|https://site.com/|C33C748610876DA5ACE277F0EA893A44|com.site.client.rpc.TreeRpc|getThumbnailsDatas|java.lang.String|java.lang.Integer|java.lang.Boolean|I|Z|[Ljava.lang.String;|k4tnblyc-1413979609284|java.lang.Integer/3438268394|java.lang.Boolean/476441737|creationDate|1|2|3|4|9|5|6|7|8|8|5|9|10|7|11|12|-1|13|0|0|60|14|0|0|0|
 
Encountered Error During Parsing with request:
4|0|14|https://site.com/|C33C748610876DA5ACE277F0EA893A44|com.site.client.rpc.TreeRpc|getThumbnailsDatas|java.lang.String|java.lang.Integer|java.lang.Boolean|I|Z|[Ljava.lang.String;|ll11tggc-1413979603775|java.lang.Integer/3438268394|java.lang.Boolean/476441737|creationDate|1|2|3|4|9|5|6|7|8|8|5|9|10|7|11|12|-1|13|0|0|60|14|0|0|0|
 
Encountered Error During Parsing with request:
4|0|14|https://site.com/|C33C748610876DA5ACE277F0EA893A44|com.site.client.rpc.TreeRpc|getThumbnailsDatas|java.lang.String|java.lang.Integer|java.lang.Boolean|I|Z|[Ljava.lang.String;|anprx235-1413979619663|java.lang.Integer/3438268394|java.lang.Boolean/476441737|creationDate|1|2|3|4|9|5|6|7|8|8|5|9|10|7|11|12|-1|13|0|0|60|14|0|0|0|
Output saved to plop.txt

 

下载链接:https://github.com/miaouPlop/GWT-3D/releases

 

【Expl0r3r整理发布】

源链接

Hacking more

...