Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/synacktiv/QLinspector
Finding Java gadget chains with CodeQL
https://github.com/synacktiv/QLinspector
Last synced: 21 days ago
JSON representation
Finding Java gadget chains with CodeQL
- Host: GitHub
- URL: https://github.com/synacktiv/QLinspector
- Owner: synacktiv
- License: gpl-3.0
- Created: 2022-03-08T09:16:54.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-07-26T14:17:24.000Z (5 months ago)
- Last Synced: 2024-08-05T17:28:56.357Z (4 months ago)
- Language: CodeQL
- Size: 528 KB
- Stars: 156
- Watchers: 8
- Forks: 17
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - synacktiv/QLinspector - Finding Java gadget chains with CodeQL (CodeQL)
README
# QLinspector
Finding Java gadget chains with CodeQL.
More information in our [article](https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html)## Installation
Clone the repo
```sh
$ git clone https://github.com/synacktiv/QLinspector.git
```Search for gadgets:
```sh
$ codeql database analyze log4j --format=sarif-latest --output=log4j.sarif ./QLinspector/
```## Queries
### `QLinspector.ql`The main CodeQL query that can be used to find gadget chains.
here is an example with the Aspectj gadget chain:
![aspectj](img/aspectj.png)
Running the above query can sometimes return a lot of false positives. To filter them the `GadgetSanitizer` class has been added. You can add conditions to filter out `DataFlow::Node`:
```ql
/**
* placeholder for adding sanitizing steps
*/
class GadgetSanitizer extends DataFlow::Node {
GadgetSanitizer() {
this.getEnclosingCallable().hasName("")
}
}
```### `QLinspectorOld.ql`
Old query that was initially developped. This query do not use the taint model of CodeQL thus it could return different results.
### `BeanFactoryGadgetFinder.ql`
A query that can be used to find new gadget chains based on the `org.apache.naming.factory.BeanFactory`. The `BeanFactory` class, allows to create an instance of arbitrary class with default constructor and call any public method with one `String` parameter.
More information in this blogpost: https://www.veracode.com/blog/research/exploiting-jndi-injections-java
### `CommonsBeanutilsGadgetFinder.ql`
A query that can be used to find alternatives to the `getOutputProperties` method used in the `CommonsBeanutils` chain.
More information here:
- https://www.praetorian.com/blog/relution-remote-code-execution-java-deserialization-vulnerability/
- https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/### `ObjectFactoryFinder.ql`
A query that can be used to find alternatives to the `org.apache.naming.factory.BeanFactory`. This could be usefull during JNDI exploitation.
More information in this blogpost: https://www.veracode.com/blog/research/exploiting-jndi-injections-java
## Resources
- https://www.synacktiv.com/publications/finding-gadgets-like-its-2015-part-1.html
- https://www.synacktiv.com/publications/finding-gadgets-like-its-2015-part-2.html
- https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html
- https://www.synacktiv.com/publications/java-deserialization-tricks
- https://www.praetorian.com/blog/relution-remote-code-execution-java-deserialization-vulnerability/
- https://www.veracode.com/blog/research/exploiting-jndi-injections-java
- https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/
- https://testbnull.medium.com/return-of-the-rhino-analysis-of-mozillarhino-gadgetchain-also-the-writeup-of-hitb-linkextractor-a2074b4ae624
- https://www.buaq.net/go-53869.html
- https://b1ue.cn/archives/529.html