0x727 / FingerprintHub

侦查守卫(ObserverWard)的指纹库
https://0x727.github.io/FingerprintHub/
MIT License
1.02k stars 189 forks source link

提交指纹-[xstream] #58

Closed j4vaovo closed 1 year ago

j4vaovo commented 1 year ago

测试目标

https://54.69.100.53/

指纹的Yaml规则

name: xstream
priority: 3
nuclei_tags:
  - - xstream
fingerprint:
 - path: /
   request_method: get
   request_headers: {}
   request_data: ''
   status_code: 0
   headers: {}
   keyword:
    - com.thoughtworks.xstream
    - Exception
   favicon_hash: []
github-actions[bot] commented 1 year ago

验证过程:

点击展开查看

```bash URL: https://54.69.100.53/ HEADERS: date: Wed, 05 Apr 2023 00:56:02 GMT content-type: text/html;charset=utf-8 set-cookie: JSESSIONID.7eab5786=node01idr7oa0afpgq1lyhgh3tzjjl4313932.node0; Path=/; Secure; HttpOnly connection: keep-alive server: nginx/1.18.0 x-content-type-options: nosniff expires: Thu, 01 Jan 1970 00:00:00 GMT cache-control: no-cache,no-store,must-revalidate x-hudson-theme: default referrer-policy: same-origin STATUS_CODE: 500 TEXT: jenkins

 error

com.thoughtworks.xstream.mapper.cannotresolveclassexception: org.jenkinsci.plugins.githubsecurityrealm
    at com.thoughtworks.xstream.mapper.defaultmapper.realclass(defaultmapper.java:79)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.dynamicproxymapper.realclass(dynamicproxymapper.java:55)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.packagealiasingmapper.realclass(packagealiasingmapper.java:88)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.classaliasingmapper.realclass(classaliasingmapper.java:79)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.arraymapper.realclass(arraymapper.java:74)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.securitymapper.realclass(securitymapper.java:71)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at hudson.util.xstream2$compatibilitymapper.realclass(xstream2.java:379)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at hudson.util.xstream.mapperdelegate.realclass(mapperdelegate.java:43)
    at com.thoughtworks.xstream.mapper.mapperwrapper.realclass(mapperwrapper.java:30)
    at com.thoughtworks.xstream.mapper.cachingmapper.realclass(cachingmapper.java:48)
    at hudson.util.robustreflectionconverter.determinetype(robustreflectionconverter.java:458)
    at hudson.util.robustreflectionconverter.dounmarshal(robustreflectionconverter.java:324)
caused: jenkins.util.xstream.criticalxstreamexception: org.jenkinsci.plugins.githubsecurityrealm : org.jenkinsci.plugins.githubsecurityrealm
---- debugging information ----
message             : org.jenkinsci.plugins.githubsecurityrealm
cause-exception     : com.thoughtworks.xstream.mapper.cannotresolveclassexception
cause-message       : org.jenkinsci.plugins.githubsecurityrealm
class               : hudson.model.hudson
required-type       : hudson.model.hudson
converter-type      : hudson.util.robustreflectionconverter
path                : /hudson/securityrealm
line number         : 267
version             : not available
-------------------------------
    at hudson.util.robustreflectionconverter.dounmarshal(robustreflectionconverter.java:353)
    at hudson.util.robustreflectionconverter.unmarshal(robustreflectionconverter.java:267)
    at com.thoughtworks.xstream.core.treeunmarshaller.convert(treeunmarshaller.java:72)
    at com.thoughtworks.xstream.core.abstractreferenceunmarshaller.convert(abstractreferenceunmarshaller.java:65)
    at com.thoughtworks.xstream.core.treeunmarshaller.convertanother(treeunmarshaller.java:66)
    at com.thoughtworks.xstream.core.treeunmarshaller.convertanother(treeunmarshaller.java:50)
    at com.thoughtworks.xstream.core.treeunmarshaller.start(treeunmarshaller.java:134)
    at com.thoughtworks.xstream.core.abstracttreemarshallingstrategy.unmarshal(abstracttreemarshallingstrategy.java:32)
    at com.thoughtworks.xstream.xstream.unmarshal(xstream.java:1189)
    at hudson.util.xstream2.unmarshal(xstream2.java:161)
    at hudson.util.xstream2.unmarshal(xstream2.java:132)
    at com.thoughtworks.xstream.xstream.unmarshal(xstream.java:1173)
    at hudson.xmlfile.unmarshal(xmlfile.java:180)
caused: java.io.ioexception: unable to read /var/jenkins_home/config.xml
    at hudson.xmlfile.unmarshal(xmlfile.java:183)
    at hudson.xmlfile.unmarshal(xmlfile.java:163)
    at jenkins.model.jenkins.loadconfig(jenkins.java:3118)
    at jenkins.model.jenkins.access$1200(jenkins.java:320)
    at jenkins.model.jenkins$13.run(jenkins.java:3219)
    at org.jvnet.hudson.reactor.taskgraphbuilder$taskimpl.run(taskgraphbuilder.java:169)
    at org.jvnet.hudson.reactor.reactor.runtask(reactor.java:296)
    at jenkins.model.jenkins$5.runtask(jenkins.java:1133)
    at org.jvnet.hudson.reactor.reactor$2.run(reactor.java:214)
    at org.jvnet.hudson.reactor.reactor$node.run(reactor.java:117)
    at jenkins.security.impersonatingexecutorservice$1.run(impersonatingexecutorservice.java:59)
    at java.util.concurrent.threadpoolexecutor.runworker(threadpoolexecutor.java:1149)
    at java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:624)
    at java.lang.thread.run(thread.java:748)
caused: org.jvnet.hudson.reactor.reactorexception
    at org.jvnet.hudson.reactor.reactor.execute(reactor.java:282)
    at jenkins.initreactorrunner.run(initreactorrunner.java:50)
    at jenkins.model.jenkins.executereactor(jenkins.java:1166)
    at jenkins.model.jenkins.<init>(jenkins.java:966)
    at hudson.model.hudson.<init>(hudson.java:85)
    at hudson.model.hudson.<init>(hudson.java:81)
    at hudson.webappmain$3.run(webappmain.java:233)
caused: hudson.util.hudsonfailedtoload
    at hudson.webappmain$3.run(webappmain.java:250)
FAVICON: { "https://54.69.100.53/favicon.ico": "23e8c7bd78e8cd826c5a6073b15068b1", "https://54.69.100.53/static/5168df93/favicon.ico": "23e8c7bd78e8cd826c5a6073b15068b1", } Matching fingerprintV3WebFingerPrint { name: "xstream", priority: 3, request: WebFingerPrintRequest { path: "/", request_method: "get", request_headers: {}, request_data: "", }, match_rules: WebFingerPrintMatch { status_code: 0, favicon_hash: [], headers: {}, keyword: [ "com.thoughtworks.xstream", "Exception", ], }, } ```

验证结果:

cn-kali-team commented 1 year ago

这个是jenkins插件还是很多网站都有的指纹

j4vaovo commented 1 year ago

类似fastjson的组件 用来解析xml的吧。。不是jenkins的插件![Uploading image.png…]()

11
github-actions[bot] commented 1 year ago

审核通过: