From 6f0a8dc3ed12b337f58279b3f532bd99ef787f63 Mon Sep 17 00:00:00 2001
From: Leonardo Tamiano <leonardotamiano95@gmail.com>
Date: Wed, 11 Dec 2024 14:42:10 -0800
Subject: [PATCH] Copybara import of the project:

--
ce33b3113af6f5c29ba262d14411d1c7e8839e91 by LeonardoE95 <leonardo.tamiano@mindedsecurity.com>:

Add JSP payload for Reflective RCE

--
4b6b849cb51a1f57113ae4d413fa133ddc37d571 by LeonardoE95 <leonardotamiano95@gmail.com>:

Fix: Add newline
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/tsunami-security-scanner/pull/127 from mindedsecurity:master 4b6b849cb51a1f57113ae4d413fa133ddc37d571
PiperOrigin-RevId: 705246572
Change-Id: I1661382d3a82855365bc8d253598dd2757a078e0
---
 .../plugin/payload/payload_definitions.yaml   |  9 +++++
 ...oadGeneratorWithoutCallbackServerTest.java | 37 +++++++++++++++++++
 proto/payload_generator.proto                 |  2 +
 3 files changed, 48 insertions(+)

diff --git a/plugin/src/main/resources/com/google/tsunami/plugin/payload/payload_definitions.yaml b/plugin/src/main/resources/com/google/tsunami/plugin/payload/payload_definitions.yaml
index 1fb8f822..49cffa88 100644
--- a/plugin/src/main/resources/com/google/tsunami/plugin/payload/payload_definitions.yaml
+++ b/plugin/src/main/resources/com/google/tsunami/plugin/payload/payload_definitions.yaml
@@ -92,3 +92,12 @@ payloads:
     validation_regex: (?s).*TSUNAMI_PAYLOAD_START$TSUNAMI_PAYLOAD_TOKEN_RANDOMTSUNAMI_PAYLOAD_END.*
     vulnerabilityType:
       - REFLECTIVE_RCE
+  - name: jsp_print
+    interpretation_environment: JSP
+    execution_environment: EXEC_INTERPRETATION_ENVIRONMENT
+    uses_callback_server: false
+    payload_string: <% out.print(String.format("%s%s%s","TSUNAMI_PAYLOAD_START", "$TSUNAMI_PAYLOAD_TOKEN_RANDOM", "TSUNAMI_PAYLOAD_END")); %>
+    validation_type: VALIDATION_REGEX
+    validation_regex: (?s).*TSUNAMI_PAYLOAD_START$TSUNAMI_PAYLOAD_TOKEN_RANDOMTSUNAMI_PAYLOAD_END.*
+    vulnerability_type:
+      - REFLECTIVE_RCE
diff --git a/plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorWithoutCallbackServerTest.java b/plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorWithoutCallbackServerTest.java
index 4c14830d..6fff0616 100644
--- a/plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorWithoutCallbackServerTest.java
+++ b/plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorWithoutCallbackServerTest.java
@@ -79,6 +79,13 @@ public void nextBytes(byte[] bytes) {
           .setExecutionEnvironment(
               PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
           .build();
+  private static final PayloadGeneratorConfig JSP_REFLECTIVE_RCE_CONFIG =
+      PayloadGeneratorConfig.newBuilder()
+          .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
+          .setInterpretationEnvironment(PayloadGeneratorConfig.InterpretationEnvironment.JSP)
+          .setExecutionEnvironment(
+              PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
+          .build();
   private static final PayloadGeneratorConfig WINDOWS_REFLECTIVE_RCE_CONFIG =
       PayloadGeneratorConfig.newBuilder()
           .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
@@ -250,6 +257,36 @@ public void checkIfExecuted_withJavaConfiguration_andIncorrectInput_returnsFalse
             ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
   }
 
+  @Test
+  public void getPayload_withJspConfiguration_returnsPrintfPayload() {
+    Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);
+
+    assertThat(payload.getPayload())
+        .isEqualTo(
+            "<% out.print(String.format(\"%s%s%s\",\"TSUNAMI_PAYLOAD_START\", \"ffffffffffffffff\","
+                + " \"TSUNAMI_PAYLOAD_END\")); %>");
+    assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
+  }
+
+  @Test
+  public void checkIfExecuted_withJspConfiguration_andCorrectInput_returnsTrue() {
+    Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);
+
+    assertTrue(
+        payload.checkIfExecuted(
+            ByteString.copyFromUtf8(
+                "RANDOMOUTPUTTSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END")));
+  }
+
+  @Test
+  public void checkIfExecuted_withJspConfiguration_andIncorrectInput_returnsFalse() {
+    Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);
+
+    assertFalse(
+        payload.checkIfExecuted(
+            ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
+  }
+
   @Test
   public void getPayload_withSsrfConfiguration_returnsGooglePayload() {
     Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
diff --git a/proto/payload_generator.proto b/proto/payload_generator.proto
index 578002d4..496898e2 100644
--- a/proto/payload_generator.proto
+++ b/proto/payload_generator.proto
@@ -62,6 +62,8 @@ message PayloadGeneratorConfig {
     LINUX_ROOT_CRONTAB = 5;
     // Payload is interpreted wihin a Windows shell environment
     WINDOWS_SHELL = 6;
+    // Payload is interpreted within a JSP shell environment
+    JSP = 7;
   }
 
   // The actual runtime environment when the payload is run e.g. while a